ASP.net: Is it possible to initialize session manually from session-id

I am building a web service (ASMX) in C#. I am thinking of using ASP.net session ID as a token for authentication.

I have session-id generated with CreateSessionID. This will be sent to client after successful authentication (as return value of web-service call 'login').

For subsequent requests, the client will send the session-id as a parameter to the web-service call. Is it开发者_运维知识库 possible to recreate the session from this session ID string ?

Thanks in advance.

The problem with this approach is CreateSessionID doesn't actually create a session. As the name suggests, it creates only a unique session id. If you look at the MSDN documentation, it says

This method is not intended to be called from application code.

If you read a bit more, you'll see that the method is meant to be overridden by custom session id managers, which can then be integrated into the session management system by editing your web.config.

In other words, your current usage of CreateSessionID is not doing what you want it to do.

If you actually want to use Session state in your web service, you should have a look at this article.

Briefly, you need to add the EnableSession=true parameter to your [WebMethod] attributes, and then you can access the session automatically via Context.Session. Note that this does not require passing the session id via the service, as IIS will handle everything for you.

You can use the CreateSessionID() method (though preferably you'd use something else) to create a token that the users needs to pass with each request, but it would only be used to verify the user; no session could be regenerated based on it. If you do go this route, make sure your service is accessed via HTTPS. Otherwise, any eavesdropper will see the token right there in plain-text (though this can mitigated if you also check against IP address/user-agent string/etc.)

Hope that helps.