Home/ Questions/Q 5930829
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T14:36:29+00:00

Is there any good reason why ASP.NET’s session state cookie and the Forms Authentication

  • 0

Is there any good reason why ASP.NET’s session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to “tie” them to each other? Is it possible in an elegant way?

Right now, I am stuck with the following solution, which works, but is still ugly:

[Authorize]
public ActionResult SomeAction(SomeModel model)
{
    // The following four lines must be included in *every* controller action
    // that requires the user to be authenticated, defeating the purpose of
    // having the Authorize attribute.
    if (SomeStaticClass.WasSessionStateLost/*?*/) {
        FormsAuthentication.SignOut();
        return RedirectToAction("Login", "Account");
    }

    // ...
}

@RPM1984: This is what happens:

[HttpPost]
public ActionResult Login(LoginModel loginModel)
{
    if (/* user ok */)
    {
        // ...
        Session["UserID"] = loginModel.UserID;
        Session["Password"] = loginModel.Password;
        // ...
    }
    else
    {
        return View();
    }
}

And it doesn’t take much guessing to know what WasSessionStateLost does.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ll start with a solution, then an explanation followed by a recommendation.

    Create a custom authorization attribute:

    Since your application defines Authorized as follows:

    • Logged in
    • Must have values in Session["UserID"] and Session["Password"]

    you need to define your own AuthorizationAttribute

        public class AuthorizedWithSessionAttribute : AuthorizeAttribute
    {    
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if(httpContext.Request.IsAuthenticated && 
                Session["UserID"] != null && Session["Password"] != null)
                return true;

            // sign them out so they can log back in with the Password
            if(httpContext.Request.IsAuthenticated)
                FormsAuthentication.SignOut(); 

            return false;
        }
    }

    Replace all your [Authorize] attributes with [AuthorizedWithSession] and you shouldn’t need to put session check code in your controllers.

    I don’t know enough about your application, but saving passwords in session (even worse in plain text) is not a secure thing to do.

    In addition, as RPM1984 said, the session cookie and authentication cookie are separate.

    Explanation:

    Think of the session as a bucket of info (on the server side) with your name on it. ASP.NET can take and put stuff in that bucket. ASP.NET gives you a name, your session id, and puts it on the bucket so it can know which one is yours.

    The authentication cookie tells ASP.NET that you’re authenticated and stores your authentication name in it. The authentication name is usually set by the developer of the application and is usually a unique key (think primary key in a DB) to separate you from the other users.

    Recommendation to be more secure:

    Encrypt the passwords before your store them. This is not total security, but it beats storing passwords in plain text and of course, if someone were to get a hold of the encryption key, they can crack the passwords.

    • 0