We were previously using ASP.Net Http Session in our previous apps and are now moving towards using Service Stack sessions in our newer apps.
We are also using JWT Tokens with the apis - when a user sends an auth request, it returns a JWT Token. On subsequent requests, the user sends the JWT Token and we also do some custom session validation.
My question is related to user’s roles and permissions - when the user logs in, if we save the user’s roles and permission to session. Is this persisted across requests - and is this similar how ASP.Net Http sessions work?
If you are using JWT then the session created at Authentication is embedded in the JWT token and resent by the client on each Request. JWTs are self-encapsulated sessions that are only retained by the client and never persisted by the Server - which is different to ASP.NET HTTP Sessions.
So, just to confirm, after authentication if I save the user’s roles and permissions to session using SaveSession() - are they returned with the JWT Token back to the client and not stored anywhere on session? But if we were using the ss-pid cookies instead, does it save the session on the server?
So, is there any difference between this and adding to JWT Token payload manually?
No you shouldn’t use SaveSession() with JWT, it’s created once on Authentication from the
which can be updated from the latest User Info with Refresh Tokens.
Right most other Auth Providers use the Cookies based ServiceStack Sessions where the cookie refers to a Authenticated UserSession saved on the server.