Accessing Session Using ASP.NET Web API

前端 未结 13 962
谎友^
谎友^ 2020-11-22 04:32

I realize session and REST don\'t exactly go hand in hand but is it not possible to access session state using the new Web API? HttpContext.Current.Session is a

相关标签:
13条回答
  • 2020-11-22 05:16

    You can access session state using a custom RouteHandler.

    // In global.asax
    public class MvcApp : System.Web.HttpApplication
    {
        public static void RegisterRoutes(RouteCollection routes)
        {
            var route = routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
            route.RouteHandler = new MyHttpControllerRouteHandler();
        }
    }
    
    // Create two new classes
    public class MyHttpControllerHandler
        : HttpControllerHandler, IRequiresSessionState
    {
        public MyHttpControllerHandler(RouteData routeData) : base(routeData)
        { }
    }
    public class MyHttpControllerRouteHandler : HttpControllerRouteHandler
    {
        protected override IHttpHandler GetHttpHandler(
            RequestContext requestContext)
        {
            return new MyHttpControllerHandler(requestContext.RouteData);
        }
    }
    
    // Now Session is visible in your Web API
    public class ValuesController : ApiController
    {
        public string Get(string input)
        {
            var session = HttpContext.Current.Session;
            if (session != null)
            {
                if (session["Time"] == null)
                    session["Time"] = DateTime.Now;
                return "Session Time: " + session["Time"] + input;
            }
            return "Session is not availabe" + input;
        }
    }
    

    Found here: http://techhasnoboundary.blogspot.com/2012/03/mvc-4-web-api-access-session.html

    0 讨论(0)
  • 2020-11-22 05:16

    Mark, if you check the nerddinner MVC example the logic is pretty much the same.

    You only need to retrieve the cookie and set it in the current session.

    Global.asax.cs

    public override void Init()
    {
        this.AuthenticateRequest += new EventHandler(WebApiApplication_AuthenticateRequest);
        base.Init();
    }
    
    void WebApiApplication_AuthenticateRequest(object sender, EventArgs e)
    {
        HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);
    
        SampleIdentity id = new SampleIdentity(ticket);
        GenericPrincipal prin = new GenericPrincipal(id, null); 
    
        HttpContext.Current.User = prin;
    }
    
    enter code here
    

    You'll have to define your "SampleIdentity" class, which you can borrow from the nerddinner project.

    0 讨论(0)
  • 2020-11-22 05:18

    Well you're right, REST is stateless. If you use a session the processing will become stateful, subsequent requests will be able to use state (from a session).

    In order for a session to be rehydrated, you'll need to supply a key to associate the state. In a normal asp.net application that key is supplied by using a cookie (cookie-sessions) or url parameter (cookieless sessions).

    If you need a session forget rest, sessions are irrelevant in REST based designs. If you need a session for validation then use a token or authorise by IP addresses.

    0 讨论(0)
  • 2020-11-22 05:25

    I had this same problem in asp.net mvc, I fixed it by putting this method in my base api controller that all my api controllers inherit from:

        /// <summary>
        /// Get the session from HttpContext.Current, if that is null try to get it from the Request properties.
        /// </summary>
        /// <returns></returns>
        protected HttpContextWrapper GetHttpContextWrapper()
        {
          HttpContextWrapper httpContextWrapper = null;
          if (HttpContext.Current != null)
          {
            httpContextWrapper = new HttpContextWrapper(HttpContext.Current);
          }
          else if (Request.Properties.ContainsKey("MS_HttpContext"))
          {
            httpContextWrapper = (HttpContextWrapper)Request.Properties["MS_HttpContext"];
          }
          return httpContextWrapper;
        }
    

    Then in your api call that you want to access the session you just do:

    HttpContextWrapper httpContextWrapper = GetHttpContextWrapper();
    var someVariableFromSession = httpContextWrapper.Session["SomeSessionValue"];
    

    I also have this in my Global.asax.cs file like other people have posted, not sure if you still need it using the method above, but here it is just in case:

    /// <summary>
    /// The following method makes Session available.
    /// </summary>
    protected void Application_PostAuthorizeRequest()
    {
      if (HttpContext.Current.Request.AppRelativeCurrentExecutionFilePath.StartsWith("~/api"))
      {
        HttpContext.Current.SetSessionStateBehavior(SessionStateBehavior.Required);
      }
    }
    

    You could also just make a custom filter attribute that you can stick on your api calls that you need session, then you can use session in your api call like you normally would via HttpContext.Current.Session["SomeValue"]:

      /// <summary>
      /// Filter that gets session context from request if HttpContext.Current is null.
      /// </summary>
      public class RequireSessionAttribute : ActionFilterAttribute
      {
        /// <summary>
        /// Runs before action
        /// </summary>
        /// <param name="actionContext"></param>
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
          if (HttpContext.Current == null)
          {
            if (actionContext.Request.Properties.ContainsKey("MS_HttpContext"))
            {
              HttpContext.Current = ((HttpContextWrapper)actionContext.Request.Properties["MS_HttpContext"]).ApplicationInstance.Context;
            }
          }
        }
      }
    

    Hope this helps.

    0 讨论(0)
  • 2020-11-22 05:30

    MVC

    For an MVC project make the following changes (WebForms and Dot Net Core answer down below):

    WebApiConfig.cs

    public static class WebApiConfig
    {
        public static string UrlPrefix         { get { return "api"; } }
        public static string UrlPrefixRelative { get { return "~/api"; } }
    
        public static void Register(HttpConfiguration config)
        {
            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: WebApiConfig.UrlPrefix + "/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }
    }
    

    Global.asax.cs

    public class MvcApplication : System.Web.HttpApplication
    {
        ...
    
        protected void Application_PostAuthorizeRequest()
        {
            if (IsWebApiRequest())
            {
                HttpContext.Current.SetSessionStateBehavior(SessionStateBehavior.Required);
            }
        }
    
        private bool IsWebApiRequest()
        {
            return HttpContext.Current.Request.AppRelativeCurrentExecutionFilePath.StartsWith(WebApiConfig.UrlPrefixRelative);
        }
    
    }
    

    This solution has the added bonus that we can fetch the base URL in javascript for making the AJAX calls:

    _Layout.cshtml

    <body>
        @RenderBody()
    
        <script type="text/javascript">
            var apiBaseUrl = '@Url.Content(ProjectNameSpace.WebApiConfig.UrlPrefixRelative)';
        </script>
    
        @RenderSection("scripts", required: false) 
    

    and then within our Javascript files/code we can make our webapi calls that can access the session:

    $.getJSON(apiBaseUrl + '/MyApi')
       .done(function (data) {
           alert('session data received: ' + data.whatever);
       })
    );
    

    WebForms

    Do the above but change the WebApiConfig.Register function to take a RouteCollection instead:

    public static void Register(RouteCollection routes)
    {
        routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: WebApiConfig.UrlPrefix + "/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
    }
    

    And then call the following in Application_Start:

    WebApiConfig.Register(RouteTable.Routes);
    

    Dot Net Core

    Add the Microsoft.AspNetCore.Session NuGet package and then make the following code changes:

    Startup.cs

    Call the AddDistributedMemoryCache and AddSession methods on the services object within the ConfigureServices function:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();
        ...
    
        services.AddDistributedMemoryCache();
        services.AddSession();
    

    and in the Configure function add a call to UseSession:

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, 
    ILoggerFactory loggerFactory)
    {
        app.UseSession();
        app.UseMvc();
    

    SessionController.cs

    Within your controller, add a using statement at the top:

    using Microsoft.AspNetCore.Http;
    

    and then use the HttpContext.Session object within your code like so:

        [HttpGet("set/{data}")]
        public IActionResult setsession(string data)
        {
            HttpContext.Session.SetString("keyname", data);
            return Ok("session data set");
        }
    
        [HttpGet("get")]
        public IActionResult getsessiondata()
        {
            var sessionData = HttpContext.Session.GetString("keyname");
            return Ok(sessionData);
        }
    

    you should now be able to hit:

    http://localhost:1234/api/session/set/thisissomedata
    

    and then going to this URL will pull it out:

    http://localhost:1234/api/session/get
    

    Plenty more info on accessing session data within dot net core here: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/app-state

    Performance Concerns

    Read Simon Weaver's answer below regarding performance. If you're accessing session data inside a WebApi project it can have very serious performance consequence - I have seen ASP.NET enforce a 200ms delay for concurrent requests. This could add up and become disastrous if you have many concurrent requests.


    Security Concerns

    Make sure you are locking down resources per user - an authenticated user shouldn't be able to retrieve data from your WebApi that they don't have access to.

    Read Microsoft's article on Authentication and Authorization in ASP.NET Web API - https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

    Read Microsoft's article on avoiding Cross-Site Request Forgery hack attacks. (In short, check out the AntiForgery.Validate method) - https://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks

    0 讨论(0)
  • 2020-11-22 05:30

    I followed @LachlanB approach and indeed the session was available when the session cookie was present on the request. The missing part is how the Session cookie is sent to the client the first time?

    I created a HttpModule which not only enabling the HttpSessionState availability but also sends the cookie to the client when a new session is created.

    public class WebApiSessionModule : IHttpModule
    {
        private static readonly string SessionStateCookieName = "ASP.NET_SessionId";
    
        public void Init(HttpApplication context)
        {
            context.PostAuthorizeRequest += this.OnPostAuthorizeRequest;
            context.PostRequestHandlerExecute += this.PostRequestHandlerExecute;
        }
    
        public void Dispose()
        {
        }
    
        protected virtual void OnPostAuthorizeRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
    
            if (this.IsWebApiRequest(context))
            {
                context.SetSessionStateBehavior(SessionStateBehavior.Required);
            }
        }
    
        protected virtual void PostRequestHandlerExecute(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
    
            if (this.IsWebApiRequest(context))
            {
                this.AddSessionCookieToResponseIfNeeded(context);
            }
        }
    
        protected virtual void AddSessionCookieToResponseIfNeeded(HttpContext context)
        {
            HttpSessionState session = context.Session;
    
            if (session == null)
            {
                // session not available
                return;
            }
    
            if (!session.IsNewSession)
            {
                // it's safe to assume that the cookie was
                // received as part of the request so there is
                // no need to set it
                return;
            }
    
            string cookieName = GetSessionCookieName();
            HttpCookie cookie = context.Response.Cookies[cookieName];
            if (cookie == null || cookie.Value != session.SessionID)
            {
                context.Response.Cookies.Remove(cookieName);
                context.Response.Cookies.Add(new HttpCookie(cookieName, session.SessionID));
            }
        }
    
        protected virtual string GetSessionCookieName()
        {
            var sessionStateSection = (SessionStateSection)ConfigurationManager.GetSection("system.web/sessionState");
    
            return sessionStateSection != null && !string.IsNullOrWhiteSpace(sessionStateSection.CookieName) ? sessionStateSection.CookieName : SessionStateCookieName;
        }
    
        protected virtual bool IsWebApiRequest(HttpContext context)
        {
            string requestPath = context.Request.AppRelativeCurrentExecutionFilePath;
    
            if (requestPath == null)
            {
                return false;
            }
    
            return requestPath.StartsWith(WebApiConfig.UrlPrefixRelative, StringComparison.InvariantCultureIgnoreCase);
        }
    }
    
    0 讨论(0)
提交回复
热议问题