OWIN middleware for working with session-cookies and session properties.
A session is a way to store information (properties) to be used across multiple requests.
While it does use a cookie for remembering the session id inside the users browser, the information/properties itself is stored in a back-end store.
The project comes with an in-memory session store, but can easily be replaced by a custom implementation.
REMARK This library is only for those who don't want to depend on System.Web or HttpContext.Current and want a clean OWIN-only solution.
PM> Install-Package OwinSessionMiddleware
or, if you want WebAPI integration
PM> Install-Package OwinSessionMiddleware.WebApi
In its simplest form, no extra parameters are required as the defaults will fit many simple projects:
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseSessionMiddleware();
// other middleware registrations...
app.UseWebApi();
}
}Options are set by passing an instance of SessionMiddlewareOptions to the UseSessionMiddleware extension method.
var options = new SessionMiddlewareOptions
{
CookieName = "MyFancyCookieName"
};
app.UseSessionMiddleware(options);Changes the name of the cookie that will be returned by the middleware. This option defaults to osm.sid.
Adds a domain value to the cookie that will be returned by the middleware. This option defaults to null which will not add a domain to the cookie.
Adds an expires value to the cookie that will be returned by the middleware. This option defaults to null which will not add an expires value to the cookie, so it will be valid for the current browser session only.
Please note that browsers configured to remember open tabs, often store session cookies and recall them when the user re-opens the browser.
Adds the secure flag to the cookie that will be returned by the middleware. This option defaults to true which means that the browser will only sent the cookie for secure URLs (thus, for https:// and not for http://).
While this would be a possible option candidate, I decided not to include it because making the cookie available to JavaScript makes it vulnarable for XSS attacks. Therefore the HttpOnly flag is always set for the cookie.
Changes the session store that will be used to store sessions and their properties. This option defauls to an instance of InMemorySessionStore.
Any class that implements ISessionStore interface can be used.
A delegate for generating unique session id's. The default generator combines a Guid for uniqueness with a random byte sequence for randomness which should be good for most applications.
The base library adds an extension method to IOwinContext for getting the current session.
Once you have an instance of IOwinContext, you can get access to the session context.
From OWIN middleware, you can access the current session like this:
app.Use(async (ctx, next) =>
{
var sessionContext = ctx.GetSessionContext();
var requestCount = sessionContext.Get<int>("RequestCount");
sessionContext.AddOrUpdate("RequestCount", ++requestCount);
await next();
});From a controller, you could use HttpContext.Current.GetOwinContext().GetSessionContext() to get the context.
If you're using this inside an ApiController, consider using the OwinSessionMiddleware.WebApi package which has some convenient extension methods you can use inside your controller actions:
public IHttpActionResult MyAction()
{
var requestCount = Request.GetSessionProperty<int>("RequestCount");
Request.SetSessionProperty("RequestCount", ++requestCount);
}