Save data to session state and keep synchronized with Froms Auth Session

Question

I want to save some data to the session state. I need to save this data off when a user first logs in via forms authentication. I need this session state variable to have the same lifetime as the forms authentication ticket expiration. Is there some way to ensure that these two stay synchronized?

Answer 1

Is there some way to ensure that these two stay synchronized?

Both have a timeout value in web.config that you can set to the same value. Now this being said here's where your problems might start. A forms authentication cookie might have a sliding expiration setup whereas a session not. So make sure you disable this sliding expiration for the authentication cookie if you want the two timeout values to match. And that's just the beginning. For the session you can choose where to store it: Off, InProc, StateServer, SqlServer.

When you use Off (personally what I use) ASP.NET session is disabled and you basically don't have any session.

When you set it to InProc (which is the default value) the session is stored in memory. Except that IIS could decide to recycle the AppDomain under different circumstances: a period of inactivity, certain CPU/memory threshold is reached, ... This basically means that if the session is stored in memory and the AppDomain is unloaded by the web server you loose everything stored in this session whereas, obviously, the authentication cookie continues to be valid.

StateServer and SQLServer are 2 different modes of out of process session storage where the information is no longer stored in the memory of the web server and can survive AppDomain being recycled.

So basically to sum up it is very difficult to synchronize in a reliable manner the ASP.NET session lifecycle and the ASP.NET forms authentication cookie lifecycle. I solve this problem by not using ASP.NET session at all.