I have an ASP.NET MVC 5 website with OWIN authentication. Each user has different credentials in the base database, which is also used to authenticate the user through the user UserManager. I keep the username / password in session state before returning UserManager.FindAsync, since the application will need to use them to access the database in any subsequent request from the same user.
When a session is lost (for example, to recycle AppDomain), credentials are lost along with it. But Owin continues to authenticate the user, possibly based on a cookie sent by the browser. What ends up with me is an authenticated user ... without a session and therefore no database credentials.
The easiest way to reproduce this behavior is to create a new ASP.NET MVC 5 application that authenticates individual user accounts and add some session data at the end of the AccountController.SignInAsync method.
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);
HttpContext.Session["Data"] = "Data";
}
Then try to get this information on any controller.
public ActionResult About()
{
ViewBag.Message = Session["Data"];
return View();
}
. ( cookie), , , .
, , , .