Ok, here’s the setup (not negotiable)

Asp.net Web API providing data, etc, including login, etc

C# class library, using restsharp to call the API and return ViewModels

Standalone MVC 5 project, only using the class library.

All good and well and work perfect, just not 100% sure how to deal with the following.

When calling login, the API validation the credentials and return a token (guid) that must be injected in each call made to the API.

What is the best way for the MVC site to "store" this token between subsequent calls.

Ideally I’d like to use things like Request.IsAuthenticated, etc.

ATM I’m storing it in a session object and got my own custom helper to see if we have a token, and from that created a custom auth attribute.

thoughts?

As the MVC code can not decrypt the token, and does not control when it expires, I’d store it in a cookie. Then on every request during authenication, you call the webapi to validate the token, and create the identity.

Thanks for that Bruce.

What I got right now is basically:

Login call the api with a username / password

If valid, the api return a whole object (incl. token, but also things like the user’s name, company name, and some other basic info I use all the time)

I then store this object in the session.

Then got a security helper with methods like "IsAuthenticated" and "GetInfo" which basically just look for the session object and it’s values.

I had it in a cookie, but I had some issues……forgot now what it was, was late at night (hectic month!)  Probably because I’m not very experienced using cookies directly.

How does the above sounds?