Issues with storing the custom Principal in Session for ASP.NET MVC

Question

I am running into an issue with ASP.NET MVC where it is forcing the user to log back in after about 20 mins of inactivity.

I am using Forms Authentication and have i

Answer 1

Mixing concerns of FormsAuthentication with SessionState is just a bad idea on many levels, as you are noticing from the answers you are getting.

If the information describing your custom principal is small, I would suggest storing it in the UserData member of the forms ticket. That is what it is there for.

Then your custom data, which is only valid with a valid ticket, is stored with the ticket.

Many problems solved and mucho code obviated.

Here is a helper class that can help you with your ticket.

CAVEAT: In practice the max http cookie size is just shy of the official 4k limit and Encryption cuts that in half approximately.

If you can ensure that your ticket, including principal data will fit into <2k you should be good to go. Creating a custom serialization for your principal can help, e.g. name=value pairs works great if your data will cooperate.

Good luck.