Accessing Session Using ASP NET Web API

Question

I realize session and REST don t exactly go hand in hand but is it not possible to access session state using the new Web API  HttpContext Current Session is always null

User · Answer

Well you re right  REST is stateless  If you use a session the processing will become stateful  subsequent requests will be able to use state  from a session    In order for a session to be rehydrated  you ll need to supply a key to associate the state  In a normal asp net application that key is supplied by using a cookie  cookie-sessions  or url parameter  cookieless sessions    If you need a session forget rest  sessions are irrelevant in REST based designs  If you need a session for validation then use a token or authorise by IP addresses

User · Answer

You can access session state using a custom RouteHandler      In global asax public class MvcApp   System Web HttpApplication       public static void RegisterRoutes RouteCollection routes                var route   routes MapHttpRoute              name   DefaultApi               routeTemplate   api  controller   id                defaults  new   id   RouteParameter Optional                      route RouteHandler   new MyHttpControllerRouteHandler                Create two new classes public class MyHttpControllerHandler       HttpControllerHandler  IRequiresSessionState       public MyHttpControllerHandler RouteData routeData    base routeData            public class MyHttpControllerRouteHandler   HttpControllerRouteHandler       protected override IHttpHandler GetHttpHandler          RequestContext requestContext                return new MyHttpControllerHandler requestContext RouteData               Now Session is visible in your Web API public class ValuesController   ApiController       public string Get string input                var session   HttpContext Current Session          if  session    null                        if  session  Time      null                  session  Time     DateTime Now              return  Session Time      session  Time     input                    return  Session is not availabe    input            Found here  http   techhasnoboundary blogspot com 2012 03 mvc-4-web-api-access-session html

User · Answer

To fix the issue   protected void Application PostAuthorizeRequest         System Web HttpContext Current SetSessionStateBehavior System Web SessionState SessionStateBehavior Required       in Global asax cs

User · Answer

Mark  if you check the nerddinner MVC example the logic is pretty much the same   You only need to retrieve the cookie and set it in the current session   Global asax cs  public override void Init         this AuthenticateRequest    new EventHandler WebApiApplication AuthenticateRequest       base Init       void WebApiApplication AuthenticateRequest object sender  EventArgs e        HttpCookie cookie   HttpContext Current Request Cookies FormsAuthentication FormsCookieName       FormsAuthenticationTicket ticket   FormsAuthentication Decrypt cookie Value        SampleIdentity id   new SampleIdentity ticket       GenericPrincipal prin   new GenericPrincipal id  null         HttpContext Current User   prin     enter code here   You ll have to define your  SampleIdentity  class  which you can borrow from the nerddinner project

User · Answer

I followed  LachlanB approach and indeed the session was available when the session cookie was present on the request  The missing part is how the Session cookie is sent to the client the first time    I created a HttpModule which not only enabling the HttpSessionState availability but also sends the cookie to the client when a new session is created   public class WebApiSessionModule   IHttpModule       private static readonly string SessionStateCookieName    ASP NET SessionId        public void Init HttpApplication context                context PostAuthorizeRequest    this OnPostAuthorizeRequest          context PostRequestHandlerExecute    this PostRequestHandlerExecute             public void Dispose                    protected virtual void OnPostAuthorizeRequest object sender  EventArgs e                HttpContext context   HttpContext Current           if  this IsWebApiRequest context                         context SetSessionStateBehavior SessionStateBehavior Required                        protected virtual void PostRequestHandlerExecute object sender  EventArgs e                HttpContext context   HttpContext Current           if  this IsWebApiRequest context                         this AddSessionCookieToResponseIfNeeded context                        protected virtual void AddSessionCookieToResponseIfNeeded HttpContext context                HttpSessionState session   context Session           if  session    null                           session not available             return                     if   session IsNewSession                           it s safe to assume that the cookie was                received as part of the request so there is                no need to set it             return                     string cookieName   GetSessionCookieName            HttpCookie cookie   context Response Cookies cookieName           if  cookie    null    cookie Value    session SessionID                        context Response Cookies Remove cookieName               context Response Cookies Add new HttpCookie cookieName  session SessionID                         protected virtual string GetSessionCookieName                 var sessionStateSection    SessionStateSection ConfigurationManager GetSection  system web sessionState             return sessionStateSection    null  amp  amp   string IsNullOrWhiteSpace sessionStateSection CookieName    sessionStateSection CookieName   SessionStateCookieName             protected virtual bool IsWebApiRequest HttpContext context                string requestPath   context Request AppRelativeCurrentExecutionFilePath           if  requestPath    null                        return false                     return requestPath StartsWith WebApiConfig UrlPrefixRelative  StringComparison InvariantCultureIgnoreCase

User · Answer

Last one is not working now  take this one  it worked for me   in WebApiConfig cs at App Start      public static string  WebApiExecutionPath    api        public static void Register HttpConfiguration config                var basicRouteTemplate   string Format   0   1     WebApiExecutionPath    controller                 Controller Only            To handle routes like   api VTRouting          config Routes MapHttpRoute              name   ControllerOnly               routeTemplate  basicRouteTemplate    0   controller                          Controller with ID            To handle routes like   api VTRouting 1          config Routes MapHttpRoute              name   ControllerAndId               routeTemplate  string Format    0   1    basicRouteTemplate    id                 defaults  null              constraints  new   id       d         Only integers               Global asax  protected void Application PostAuthorizeRequest       if  IsWebApiRequest            HttpContext Current SetSessionStateBehavior SessionStateBehavior Required          private static bool IsWebApiRequest       return HttpContext Current Request AppRelativeCurrentExecutionFilePath StartsWith  WebApiExecutionPath       fournd here  http   forums asp net t 1773026 aspx 1

User · Answer

one thing need to mention on  LachlanB  s answer   protected void Application PostAuthorizeRequest                 if  IsWebApiRequest                          HttpContext Current SetSessionStateBehavior SessionStateBehavior Required                     If you omit the line   if  IsWebApiRequest     The whole site will have page loading slowness issue if your site is mixed with web form pages

User · Answer

I had this same problem in asp net mvc  I fixed it by putting this method in my base api controller that all my api controllers inherit from            lt summary gt          Get the session from HttpContext Current  if that is null try to get it from the Request properties           lt  summary gt           lt returns gt  lt  returns gt      protected HttpContextWrapper GetHttpContextWrapper               HttpContextWrapper httpContextWrapper   null        if  HttpContext Current    null                  httpContextWrapper   new HttpContextWrapper HttpContext Current                 else if  Request Properties ContainsKey  MS HttpContext                    httpContextWrapper    HttpContextWrapper Request Properties  MS HttpContext                  return httpContextWrapper          Then in your api call that you want to access the session you just do   HttpContextWrapper httpContextWrapper   GetHttpContextWrapper    var someVariableFromSession   httpContextWrapper Session  SomeSessionValue      I also have this in my Global asax cs file like other people have posted  not sure if you still need it using the method above  but here it is just in case        lt summary gt      The following method makes Session available       lt  summary gt  protected void Application PostAuthorizeRequest       if  HttpContext Current Request AppRelativeCurrentExecutionFilePath StartsWith    api            HttpContext Current SetSessionStateBehavior SessionStateBehavior Required           You could also just make a custom filter attribute that you can stick on your api calls that you need session  then you can use session in your api call like you normally would via HttpContext Current Session  SomeValue            lt summary gt        Filter that gets session context from request if HttpContext Current is null         lt  summary gt    public class RequireSessionAttribute   ActionFilterAttribute              lt summary gt          Runs before action          lt  summary gt           lt param name  actionContext  gt  lt  param gt      public override void OnActionExecuting HttpActionContext actionContext              if  HttpContext Current    null                  if  actionContext Request Properties ContainsKey  MS HttpContext                        HttpContext Current     HttpContextWrapper actionContext Request Properties  MS HttpContext    ApplicationInstance Context                                Hope this helps

User · Answer

Following on from LachlanB s answer  if your ApiController doesn t sit within a particular directory  like  api  you can instead test the request using RouteTable Routes GetRouteData  for example   protected void Application PostAuthorizeRequest                    WebApi SessionState         var routeData   RouteTable Routes GetRouteData new HttpContextWrapper HttpContext Current            if  routeData    null  amp  amp  routeData RouteHandler is HttpControllerRouteHandler              HttpContext Current SetSessionStateBehavior SessionStateBehavior Required

User · Answer

Yes  session doesn t go hand in hand with Rest API and also we should avoid this practices  But as per requirements we need to maintain session somehow such that in every request client server can exchange or maintain state or data  So  the best way to achieve this without breaking the REST protocols is communicate through token like JWT   https   jwt io

User · Answer

Going back to basics why not keep it simple and store the Session value in a hidden html value to pass to your API   Controller  public ActionResult Index                          Session  Blah     609               YourObject yourObject   new YourObject                yourObject SessionValue   int Parse Session  Blah   ToString                  return View yourObject               cshtml   model YourObject         var sessionValue   Model SessionValue      lt input type  hidden  value   sessionValue  id  hBlah    gt    Javascript    document  ready function           var sessionValue       hBlah   val         alert sessionValue           Now call your API with the session variable

User · Answer

Why to avoid using Session in WebAPI  Performance  performance  performance  There s a very good  and often overlooked reason why you shouldn t be using Session in WebAPI at all  The way ASP NET works when Session is in use is to serialize all requests received from a single client  Now I m not talking about object serialization - but running them in the order received and waiting for each to complete before running the next   This is to avoid nasty thread   race conditions if two requests each try to access Session simultaneously   Concurrent Requests and Session State Access to ASP NET session state is exclusive per session  which means that if two different users make concurrent requests  access to each separate session is granted concurrently  However  if two concurrent requests are made for the same session  by using the same SessionID value   the first request gets exclusive access to the session information  The second request executes only after the first request is finished   The second session can also get access if the exclusive lock on the information is freed because the first request exceeds the lock time-out   If the EnableSessionState value in the   Page directive is set to ReadOnly  a request for the read-only session information does not result in an exclusive lock on the session data  However  read-only requests for session data might still have to wait for a lock set by a read-write request for session data to clear   So what does this mean for Web API  If you have an application running many AJAX requests then only ONE is going to be able to run at a time  If you have a slower request then it will block all others from that client until it is complete  In some applications this could lead to very noticeably sluggish performance  So you should probably use an MVC controller if you absolutely need something from the users session and avoid the unncesessary performance penalty of enabling it for WebApi  You can easily test this out for yourself by just putting Thread Sleep 5000  in a WebAPI method and enable Session  Run 5 requests to it and they will take a total of 25 seconds to complete  Without Session they ll take a total of just over 5 seconds   This same reasoning applies to SignalR

User · Answer

MVC   For an MVC project make the following changes  WebForms and Dot Net Core answer down below    WebApiConfig cs  public static class WebApiConfig       public static string UrlPrefix           get   return  api           public static string UrlPrefixRelative   get   return    api            public static void Register HttpConfiguration config                config Routes MapHttpRoute              name   DefaultApi               routeTemplate  WebApiConfig UrlPrefix      controller   id                defaults  new   id   RouteParameter Optional                        Global asax cs  public class MvcApplication   System Web HttpApplication                protected void Application PostAuthorizeRequest                 if  IsWebApiRequest                          HttpContext Current SetSessionStateBehavior SessionStateBehavior Required                        private bool IsWebApiRequest                 return HttpContext Current Request AppRelativeCurrentExecutionFilePath StartsWith WebApiConfig UrlPrefixRelative              This solution has the added bonus that we can fetch the base URL in javascript for making the AJAX calls    Layout cshtml   lt body gt       RenderBody         lt script type  text javascript  gt          var apiBaseUrl     Url Content ProjectNameSpace WebApiConfig UrlPrefixRelative         lt  script gt        RenderSection  scripts   required  false     and then within our Javascript files code we can make our webapi calls that can access the session     getJSON apiBaseUrl     MyApi       done function  data           alert  session data received      data whatever                   WebForms   Do the above but change the WebApiConfig Register function to take a RouteCollection instead   public static void Register RouteCollection routes        routes MapHttpRoute          name   DefaultApi           routeTemplate  WebApiConfig UrlPrefix      controller   id            defaults  new   id   RouteParameter Optional              And then call the following in Application Start   WebApiConfig Register RouteTable Routes          Dot Net Core   Add the Microsoft AspNetCore Session NuGet package and then make the following code changes   Startup cs  Call the AddDistributedMemoryCache and AddSession methods on the services object within the ConfigureServices function   public void ConfigureServices IServiceCollection services        services AddMvc                 services AddDistributedMemoryCache        services AddSession      and in the Configure function add a call to UseSession   public void Configure IApplicationBuilder app  IHostingEnvironment env   ILoggerFactory loggerFactory        app UseSession        app UseMvc      SessionController cs  Within your controller  add a using statement at the top   using Microsoft AspNetCore Http    and then use the HttpContext Session object within your code like so        HttpGet  set  data         public IActionResult setsession string data                HttpContext Session SetString  keyname   data           return Ok  session data set                HttpGet  get        public IActionResult getsessiondata                 var sessionData   HttpContext Session GetString  keyname            return Ok sessionData           you should now be able to hit   http   localhost 1234 api session set thisissomedata   and then going to this URL will pull it out   http   localhost 1234 api session get   Plenty more info on accessing session data within dot net core here  https   docs microsoft com en-us aspnet core fundamentals app-state      Performance Concerns   Read Simon Weaver s answer below regarding performance  If you re accessing session data inside a WebApi project it can have very serious performance consequence - I have seen ASP NET enforce a 200ms delay for concurrent requests  This could add up and become disastrous if you have many concurrent requests        Security Concerns   Make sure you are locking down resources per user - an authenticated user shouldn t be able to retrieve data from your WebApi that they don t have access to    Read Microsoft s article on Authentication and Authorization in ASP NET Web API - https   www asp net web-api overview security authentication-and-authorization-in-aspnet-web-api  Read Microsoft s article on avoiding Cross-Site Request Forgery hack attacks   In short  check out the AntiForgery Validate method  -  https   www asp net web-api overview security preventing-cross-site-request-forgery-csrf-attacks

[asp.net] Accessing Session Using ASP.NET Web API

Examples related to asp.net

Examples related to asp.net-web-api