Session and Token With Each Request in ASP.NET MVC

Solution for Session and Token With Each Request in ASP.NET MVC
is Given Below:

I developed a project using ASP.NET MVC that uses session to keep track of users after login. Simply authorization! So I used the below code to use it as attribute in required controllers:

public class GppAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
    protected override bool AuthorizeCore(HttpContextBase httpContext)
        if (httpContext.Session["userId"] == null)
            return false;
            return true;

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        filterContext.Result = new RedirectResult("~/Auth/Login");

Finally in controller, doing this:

 // GET: Dashboard
 public ActionResult Index()
    return View();

So for above, the scenario works fine. Now I am trying to validate each request with a token for authentication (Checks if the request has valid token to work with server-side) and not sure how to do that in ASP.NET MVC 5 as most of the tutorials uses Web Api. I did few R & D and got this for a basic idea to start. Here is the link with an answer:

Authenticate MVC Controller Using Bearer Token and Redirect To The Controller

It looks promising, the questions are: After login,

  1. How can I create the token and pass it in each http request specifically after user login?

  2. Is there anything that I require to do with session or it should be independent of session

  3. If the example code with provided link works, how can I make it work for http request with
    Ajax call? Say for below code sample:

      type: "POST",
      url: "/Dashboard/GetProducts",
      contentType: "application/json; charset=utf-8",
      dataType: "json",
      success: function (value) {
      error: function (ex) {
         alert('Failed to retrieve states.' + ex); //Check if authentication failed here


  4. Will this help me to prevent unauthorized url to access data from the website or web project
    that I am working with (Though I know, it’ll but is there any way to override and make
    unauthorized url calls)?