I'm building web portal in ASP.NET MVC 3 that uses distant web service as only way to communicate with database. Web service has requirement to always have Username/Password passed in request header, otherwise it rejects the call.

I have overridden ASP.NET Membership so that my ValidateUser method sends Username/Password to web service Login method, and returns true/false if authentication is successful. It works quite nice with AcountController provided with MVC 3 Empty internet template. Since I have to pass Username/Password on every web service call, I'm saving them in Session.

My problem is:

If I close browser and reopen it... I remain logged to website, but my Session variables are expired, so none of my requests to web service are being accepted, even though I'm still logged with credentials.

I'm looking for nice suggestion how to sync user logged in state with session state. Either to keep them both persistent until log off is used or to have them both dispose on browser being closed.

Thanks for all suggestions :)

When the user signs in using your AccountController, try setting the auth cookie like this:

FormsAuthentication.SetAuthCookie(model.UserName, false);

This should tell ASP.NET to delete the cookie when the browser window is closed. Then, when user opens up a new browser, both the session and the auth cookie should both be destroyed.

Sessions are cookies on the client side. Forms Authentication (which uses your membership provider) also uses cookies.

They are different.

Is your auth ticket or cookie persistent? This MS KB will explain things and scenarios in more detail than I would here...

Hth.