In my ASP.NET MVC 3 application, when I check my remember me box in my LogOn Action, It should create a persistent cookie, so that when I close my browser and re-open it I should still be logged in:
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
When I use Fiddler, I can see the Session ID is being sent like so:
Request sent 342 bytes of Cookie data:
ASP.NET_SessionId=<Session ID>; .ASPXAUTH=<Auth String>
But when I close my browser and re-open it, I’m still logged in but the Request doesnt send a Session ID:
Request sent 298 bytes of Cookie data:
.ASPXAUTH=<Auth String>
I then put Response.Write(Session.SessionID) in my Action and this changes every time I refresh the page once I’ve re-opened my browser. If I dont close my browser then the Session ID stays the same for every refresh.
I’m using the StateServer to hold the Session State as I thought this might solve the problem, as I also experienced it with InProc.
That’s expected behavior. The concept of setting an authorization cookie, and the concept of sessions are not the same thing. A session in ASP.NET is meant to live as long as the user has their browser open, because a session is stored in a per-session cookie.
Having a persistent session is sort of a bad idea. Remember, the normal case for Sessions is that they are stored in memory. Would you really want to save the session of users in memory who haven’t logged in in a week? Any sort of “session” data you are trying to save that long should not be stored in a session, but in a persistent data store (read: database).
Updated based on your comment
Might I suggest you do something like this: