DotNetOpenAuth ASP.NET MVC 3 Session Issue

Question

I am using the openid-selector with DotNetOpenAuth in my MVC 3 app. Whenever I set a session variable and the DotNetOpenAuth sections are in the web.config, my session variables don't stick after a redirect.

I checked the Session.SessionID variable and it is still the same, so I am in the same session (I believe), but when I check the session variables I just set after a redirect they are all set to null.

I haven't seen anyone else with this issue. I am wondering if DotNetOpenAuth just isn't ready for MVC 3 yet. I am using the latest version of DotNetOpenAuth as well.

Here are the relevant portions of the web.config if it helps:

<configSections>
    <section name="uri" type="System.Configuration.UriSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    <section name="dotNetOpenAuth" type="DotNetOpenAuth.Configuration.DotNetOpenAuthSection" requirePermission="false" allowLocation="true"/>
  </configSections>
  <uri>
    <idn enabled="All"/>
    <iriParsing enabled="true"/>
  </uri>
  <system.net>
    <defaultProxy enabled="true"/>
    <settings>
      <servicePointManager checkCertificateRevocationList="true"/>
    </settings>
  </system.net>
  <dotNetOpenAuth>
    <openid>
      <relyingParty>
        <security requireSsl="false"/>
        <behaviors>
          <add type="DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform, DotNetOpenAuth"/>
        </behaviors>
      </relyingParty>
    </openid>
    <messaging>
      <untrustedWebRequest>
        <whitelistHosts>
          <add name="localhost"/>
        </whitelistHosts>
      </untrustedWebRequest>
    </messaging>
    <reporting enabled="true"/>
  </dotNetOpenAuth>

Updated:

it is happening on my development server, either in IIS, or when I run the ASP.NET development server.

Also, I tried running session in process and out of process using the state server, and it didn't make a difference.

In regards to a new session, I checked the session_start event, and that isn't being called. I also checked the Session.IsNewSession, and that returned false as well. So something is randomly (or maybe not so randomly) deleting my session variables!

Answer 1

Found the issue here (long ago now). Apparently MVC2 didn't care if I had a view for my actions where I just did some processing then a redirect.

However starting in MVC3, after my upgrade, if I didn't have a view for my action, the page registered an error, and once there was an error, the framework did not store the session variables I just set.

So simple fix... add the views and then also make sure there are no errors in the views.

Answer 2

DotNetOpenAuth certainly doesn't have Session.Abandon or Session.Clear anywhere in its codebase. It seems possible that if you're setting cookies after the redirect has been sent to the client that those cookies would be lost. Session variables aren't typically persisted as cookies individually though, so if you session cookie made it (and apparently it seems to have) then the rest of your state ought to be there.

It would be interesting to dig into this by implementing your own session store and monitoring what's really going on.

Answer 3

Not the best answer, but I figured out that it's the response.redirect that is killing the session variables for some reason.

So I just made it do a javascript redirect instead, the session stays, everything works fine. Still really don't know what the real issue is here, but hey, I don't have all day to figure it out.

Answer 4

This should work. I have used DotNetOpenAuth with ASP.NET MVC 3 without any issues. You might want to check that your session doesn't expire during the user is on the remote site for authentication. The fact that you are getting the same SessionId doesn't mean that the session hasn't expired. This could also happen if the server restarts the AppDomain.