Session question

6 views
Skip to first unread message

Neil Moncur

unread,
Apr 30, 2012, 4:22:56 PM4/30/12
to nu...@googlegroups.com
ASP.NET newbie here.  Is it an OK practice to use the HttpContext.Current.Session object to test user access?  I have created a session management object that will handle the database end of session authentication.  I want to write a function something like the following:

    public static Boolean am_i_logged_in()
    {
        if (HttpContext.Current.Session["session_key"] == null)
        {
            return false;
        }
        else
        {
            // Check database for user's session key.
            // If session key is valid, return true.  Otherwise, return false.
        }
    }

Also, I am new to this group.  If this mailing list is for announcements only, and is not for these sorts of questions, please forgive the rookie mistake.

Thanks,

-Neil

Travis

unread,
Apr 30, 2012, 4:48:28 PM4/30/12
to nu...@googlegroups.com
I would say "yes" here, but why are you re-writing the wheel? The framework already has this functionality built in:


Travis

--
You received this message because you are subscribed to the Google Groups "NUNUG" group.
To unsubscribe from this group, send email to nunug-un...@googlegroups.com

Neil Moncur

unread,
May 1, 2012, 11:09:52 AM5/1/12
to nu...@googlegroups.com
Thanks, Travis.  I'll look into the forms-authentication.  If the authentication management is all baked into .Net, that would probably be easier.  However, I'm not certain if I want to give up that level of control yet.  

Is this a standard practice -- to just let .Net handle all of the authentication for you?  Or is that a beginner tool, but more robust sites handle their own user authentication.

Been programming websites for a long time (including in old-school asp) but just learning the ropes of ASP.NET.  Other languages I have used have an entry-level authentication system baked in, but it is assumed that those are for entry-level sites.  Anything more robust is expected to have its own login management strategy.

Thanks for any clarification you can provide.

Best,

-Neil


On Monday, April 30, 2012 2:48:28 PM UTC-6, Travis wrote:
I would say "yes" here, but why are you re-writing the wheel? The framework already has this functionality built in:


Travis

Jeremy Heiner

unread,
Apr 30, 2012, 10:17:37 PM4/30/12
to nu...@googlegroups.com
Agree with Travis. However I have had success keeping it simple like the way you are doing it. However the fewer the DB hits the better IMHO. In your else{ } you could set ["session_key"] = to the key the DB returned, thus avoiding DB hits on subsequent am_i_logged_in() calls. At least until the Session times out.

-- 
Jeremy Heiner
Software Engineer


--

Travis

unread,
May 1, 2012, 1:40:26 PM5/1/12
to nu...@googlegroups.com
Yes it is "usual practice", however, I only use the FormsAuthentication aspect of it, I do not use the MembershipProvider that is available. Like you, I need more control so I only use the FormsAuthentication for setting auth cookies, IsLoggedIn(), loggin out, etc etc FormsAuthentication is the way to go.

Travis

Reply all
Reply to author
Forward
0 new messages