Session data not persisting between requests?

Question

During my authorization processes, I need to set some data into the session so that it can travel with every request made by the web page. As soon as the authorization is approved in my AuthorizationAttribute.AuthorizeCore(), I make some calls to our services to retrieve the necessary data that needs to travel with every request and stuff it into the session via httpContext.Session["MyInfoObject"] = myInfoObject and then return true.

The session cookie is set and the next request shows that the user is now authenticated. However, when I attempt to retrieve the data that was previously stored via var myInfoObject = requestContext.HttpContext.Session["MyInfoObject"] as MyInfoObject; the entire session value collection is empty. I observed the Session object and I could see that the Session object is populated, and the SessionID is the same as the one in the session cookie in the browser, but the value collection is empty. Nothing was saved.

Any ideas?

Update I was checking the session values in the controller base class. I created a custom base class for my controllers and in the Initialize() override, I call base.Initialize() first and then start fiddling with the Session. At this stage, the session values are empty. However, if I place a break point inside of an Action on the Derived controller, my values are there. I think I'm missing something in the way the pipeline executes. Any info would help.

Answer 1

I was able to solve the issue and discover a few points. What it really came down to was the state of the session object at each stage of the pipeline. It was never NULL at any point; the problem was that all of the values I had previously stuffed into it weren't available yet based on where i was in the chain of execution. I didn't find any official documentation regarding the life cycle, but I was able to discover a few things:

• In the AuthProvider, you can add to the session value collection, but you can't read anything from it that wasn't added in the same method. I'm assuming it's because the session hasn't been fully hydrated yet. Other things like Session ID and other information at the top of the session object graph were completely filled and available.
• In the Authorization attribute, it's the same deal. You can add to the session, but you can't read anything out of it because it hasn't been fully hydrated yet. I was hoping to check tokens here but that's a no go. So instead, I just check to see if the user has an ASP auth token which just tells me that I haven't killed their session yet. Good enough. I'll check the tokens loaded in that session in a later step. And in the future, when roles are added in, I'll attempt to handle that here.
• In the OnActionExecuting override of my controller (or controller base in my case), you can get at the full session. Although, it's dumb to check tokens here. Instead, I assume that everything is already set by this point, so I use it to pull a user profile object out of the session and store it into a property, making it accessible to the derived controller. This gets executed after the next bullet.
• ActionFilterAttribute will have a fully hydrated Session object as well. So I created one called TokenManagementFilterAttribute. Here, I pull my tokens out of the session and do my scope checking and validation, and refresh and update the profile object as needed. If anything fails, I set the controller.Response to redirect back to the login page and kill the session.

Answer 2

I usually access the Session variables in a base controller by overriding the OnActionExecuting method. I think initialize is too early in the process. See enter link description here