I am planning to use CSLA as the BL for a web API (similar to ASP.Net MVC). All of the requests to the API must be authenticated and I'm having trouble understanding how CSLA works in this scenario. My web API layer can manage to keep a session in process to identify incoming requests using a token in the HTTP header, so I can know who my users are once they have logged in.
Once a request is made to my API I can pass the credentials to CSLA to authenticate the user. But after the user is authenticated, how do I maintain a session that CSLA is aware of so I don't have to authenticate the user on each request? Would I have to store and instance of the business layer in session state? Any help would be appreciated.