OK basically I am trying to implement form authentication in my web application and to do this I need to know how does the web-server decide a request is a new one or not. This is becasue the webs-server creates a new session per new request.

So i create an authenticatecoookie per successful login and its a persistent cookie that will last until it times-out regardless of weather the user closes his/her browser or looses connection and has to reconnect as this cookie is stored on the client computer. So in that case lets say the user reconnects to the server and his authenticatecoookie hasn't timed-out yet. So his request is therefore already authenticated, so does this also mean that this is not a new request? and the the server will not create a new session for it as one already exits for it?

another case/scenario would be if the authenticatecoookie times out before the user reconnects, the request will not be authenticated but will this request also be considerd a new request or not and therefore the server won't create a new session for it as one already exits for it?

I am asking this because I what to store a user-ID in the session once a user has successfully logged in so that when the authenticatecoookie times out I can then go and retrive the user-ID in the session as the session times out much later than the authenticatecoookie and then update my usertable to indicate that that user is no longer logged in

So in that case lets say the user reconnects to the server and his authenticatecoookie hasn't timed-out yet. So his request is therefore already authenticated, so does this also mean that this is not a new request?

It is not a new request from the Form Authentication system point of view, because the request provide a valid form authentication cookie.

and the the server will not create a new session for it as one already exits for it?

Session handling mechanism is distinct from Form authentication mechanism. A client can hit the server with a valid form authentication cookie and no valid session cookie (and, as those mechanisms are distinct, any combination is possible) So, the server will create a new session if session is required and the client does not have one.

so that when the authenticatecoookie times out I can then go and retrive the user-ID in the session as the session times out much later than the authenticatecoookie

If your site is mostly authentication-based, maybe you should do it the other way by configuring a longer form authentication duration than session duration.

• enforce form authentication on your pages/controllers/actions
• during your pages/actions processing, ensure that the userid is stored in the session. If not, store it so that it is avalaible on session_end