I am developing an ASP.Net MVC 3 Web application with Entity Framework 4. When a user logs into my application I would like to store their user entity (firstName, lastName etc) in a session which can then be access throughout the application.
I understand that this may not be a good idea because when the ObjectContext closes/ disposes, then the User entity is detached and the user details could be lost.
I thought another method could be, when the user logs in, assign the userID (Primary Key) to a session variable, ie:
HttpContext.Current.Session["currentUserID"] = user.userID;
Then create a class in the UserService class like so:
public static User CurrentUser
{
get
{
return Data.DBEntities.Users.Where(u => u.userID == HttpContext.Current.Session["currentUserID"]).FirstOrDefault();
}
}
Which should return a User Entity based on the currentUserID session variable. This isn’t working for me however, I am getting a couple of errors
Cannot convert lambda expression to type 'string' because it is not a delegate type
Delegate 'System.Func<Asset.Model.User,int,bool>' does not take 1 arguments
Is this approach I am taking correct, or is there a better way?
Any feedback would be much appreciated.
First, don’t store security-sensitive information in
Session. Google “ASP.NET Session hijacking” for info as to why.That said, this code can be made to work. You just have a cast error. Also, You’re not accounting for the fact that
Sessioncan and does expire during a login. You could do this:…which at least compiles, but isn’t secure and sometimes throws.
It would be better to store the user ID on a custom principal, which is secure and doesn’t expire.