Best way to handle "session" specific user data in a CSLA MVC app?

Best way to handle "session" specific user data in a CSLA MVC app?

Old forum URL:

Dane posted on Friday, April 05, 2013

I make fairly heavy use of the user's Id value in my application. In the Silverlight and Windows UI Csla.ApplicationContext.User.Identity is of my custom identity type after authentication but, of course, in MVC it resolves simply to an IIdentity object. Is the best approach to persisting something like a user Id to utilize a Session or is there some better approach that CSLA itself helps with?


RockfordLhotka replied on Saturday, April 06, 2013

I discuss various alternatives in the 'Expert 2008 Business Objects' book and in the 'Using CSLA 4' ebook series.

Because the web server doesn't remember anything between requests, you have to recreate or re-obtain the principal/identity at the start of each page request.

In and of itself that's not terribly hard - there's an event in global.asax for this purpose.

The trick is figuring out the optimal way to recreate or re-obtain the identity data. Common options include:


Dane replied on Monday, April 08, 2013

I ended up going with the cookie. I really just needed the UserId to persist and that's plenty small enough.

RockfordLhotka replied on Monday, April 08, 2013

Ahh, if _all_ you need is the user id (user name) then you don't need to do any work yourself, because Forms Authentication will do it for you. ASP.NET forms authn _already_ creates an encrypted cookie with the username.

That cookie is used to automatically create a very basic principal/identity on each postback - so you have easy access to the username.

skagen00 replied on Monday, April 08, 2013

Not just that, but the forms auth ticket gets encrypted in the forms auth cookie; if you're just storing a user name in a cookie in plain text that seems like a problem if you're using it to pass as authentication.

Dane replied on Monday, April 08, 2013

No, user name is being stored in the ticket which is being encrypted and then stored in a cookie. I just needed both the user name and the user Id values which was easily accomplished with the UserData field on the ticket.

Copyright (c) Marimer LLC