Authenticating sessions with username/password works in desktop apps, where the session is kept open for the duration of the app.

But what about web apps? The expected use case is that the user logs in once with a username and password, and he is authenticated for the duration of his session. What do you recommend here? That we store his username/password in session state, and use it for Session.Authenticate on every request? Or would it be better that we store his User ID (Key) in a cookie, and be able to authenticate with the key (plus possibly a token)... e.g. Session.Authenticate(UserIdFromCookie [, TokenFromCookie]).

I don't like the idea of storing passwords in session state.

asked Nov 19 '11 at 09:09

ara's gravatar image


Storing name & password is really bad idea. All you need is some identity allowing to identify the user.

(Nov 20 '11 at 03:29) Alex Yakunin Alex%20Yakunin's gravatar image

2 Answers:

We use nearly this code in our web apps:

Getting Id of current user:

    public long AccountId {
        get {
            var httpContext = GetHttpContext();
            if (!httpContext.Request.IsAuthenticated)
                return 0;

            long id;
            if (!long.TryParse(httpContext.User.Identity.Name, out id))
                id = 0;
            return id;

And to store authentication info:

    FormsAuthentication.SetAuthCookie(account.Id.ToString(), rememberMe);

"Nearly", because actual code caches account info (DTO) in HttpContext.Items, etc.

answered Nov 20 '11 at 03:27

Alex%20Yakunin's gravatar image

Alex Yakunin

We already do this. What I was talking about is authenticating the session with a user... so that in future requests you can call session.GetImpersonationContext() from within an Entity and see which user "is logged in". I was under the impression that you must use session.Authenticate(username, password) in order to do so. Apparently, you can just use session.Impersonate(user). Is that correct?

(Nov 20 '11 at 04:12) ara ara's gravatar image


These are 2 principally different operations: authentication & impersonation.

Session.Authenticate() should be used when you need to authenticate a user by his name & password or any other credentials. This method does nothing except checking credentials for validity and returning IPrincipal instance or null.

Session.Impersonate takes IPrincipal instance and configures current Session with the help of ImpersonationContext. So if you already know Key/ID/Token/Whatever of already authenticated user, you should use Session.Impersonate.

Hope that helps.

answered Nov 20 '11 at 07:05

Dmitri%20Maximov's gravatar image

Dmitri Maximov

Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!
toggle preview

powered by OSQA