I'm fairly new to using Forms Authentication and am trying to wrap my head around how this all works. Basically, what I'd like to be able to do is store some user data that is associated with the FormsAuthentication ticket (data that comes back from my ldap server); however, I don't want to actually store this data in the cookie as it could be a rather large amount of data. Is it somehow possible to store this information in memory on the server, but keep it strongly tied to the ticket so that if the user times out or is logged out the data is destroyed as well. I realize I could use session variables to do this, but this seems awkward as I'd have to manually clean up the session variables if the user logs out. Is this possible or does this even make sense to do?
Why would you have to manually clean up a Session? The entire purpose of the Session dictionary is to allow you to do exactly what you want to do here: associate some known data with the user's current browser session. When the user's browser session ends for whatever reason, the HttpApplication and its Session are orphaned and GCed. So, I would just put your LDAP data into Session under a key, or set of same, and forget about it.