Search code examples
asp.net-mvc-4simplemembership

MVC 4 Simplemembership confusion with Session

I am using simplemembership in our MVC 4 project and this creates a session as expected but it seems that the user information persists after the session expires.

For example after 20 minutes, If User.Identity.IsAuthenticated == true still works, but my session vars are all empty.

Can someone tell me why this happens? Is this cookie managed? Is it necessary to do some other check than If User.Identity.IsAuthenticated == true?

I can't have someone gaining access if their session has expired.

Thanks

Solution

  • Those are 3 different notions in ASP.NET:

    • ASP.NET Session
    • Forms Authentication
    • Membership Provider (simplemembership in your case)

    Those 3 can be used separately and do not have any dependencies between them. I will try to describe each of them separately:

    • ASP.NET Session - provides a server side storage of some information that you want to be persisted between various HTTP requests. Out of the box there are 3 types of storage on the server: InProc, StateServer and SQLServer. There's a cookie on the client which contains just the identifier of the session so that on the server the correct data can be retrieved from the corresponding store. You can read more about ASP.NET Session here: http://msdn.microsoft.com/en-us/library/ms178581(v=vs.100).aspx

    • Forms Authentication - Used to track authenticated users. The currently authenticated user is stored in a cookie. Actually his encrypted username is stored in the forms authentication cookie and passed on each request. The User.Identity.IsAuthenticated property is populated from the value of this cookie by the FormsAuthenticationModule. You can read more about how forms authentication works here: http://msdn.microsoft.com/en-us/library/ff647070.aspx

    • Simple Membership Provider - ASP.NET MembershipProvider implementation using SQL server for storage of the membership users.

    In ASP.NET MVC those notions work the same way as in classic ASP.NET WebForms. The only difference is that you could decorate your controller actions with the Authorize attribute to ensure that only authenticated users (those that have provided a valid forms authentication cookie) can access the action.