It seems that the FormsAuthenticationModule gets handled first. This module is normally earlier than any custom module in the ASP.NET pipeline, so when AuthenticateRequest is fired, FormsAuthenticationModule will get called first, do its job and then your module’s event handler will be called. If you really want to dig deep into this, I suggest trying … Read more
This is a known issue. I had the same problem with my custom authorize attribute. I found the solution somewhere on the net, can’t remember where. Just add this to appSettings in your web.config <add key=”loginUrl” value=”~/Account/LogOn” /> Note: This works with MVC 3, I didn’t try it with previous versions. EDIT: Found it mentioned … Read more
I had the same problem and solution was to turn off output caching for the responses where you call SetCookie. Below are several links describing this Don’t let your cookie being cached by accident! ASP.NET Session Mix-up using StateServer (SCARY!) Integrated Pipeline and the kernel-mode cache
I’m taking a guess here and suspect that you have the following setting configured in your web.config file: <modules runAllManagedModulesForAllRequests=”true”> This means that every request, including those for static content is hitting the pipeline. Change this setting to: <modules runAllManagedModulesForAllRequests=”false”> This is assuming your application is running under ASP.NET 4.0 and MVC3. For this to … Read more
You can adjust it in your web.config file: <authentication mode=”Forms”> <forms name=”.CookieName” loginUrl=”LoginPage.aspx” /> </authentication>
ASP.NET 4.5 added the Boolean HttpResponse.SuppressFormsAuthenticationRedirect property. public void ProcessRequest(HttpContext context) { Response.StatusCode = 401; Response.StatusDescription = “Authentication required”; Response.SuppressFormsAuthenticationRedirect = true; }
The way your code is written logins will persist across browser sessions. It might help to understand the basics of what is going on. For cookie based authentication methods, there are really three actions: 1) Login – validates user’s credentials and creates and stores a cookie on their browser. 2) Logout – simply removes the … Read more
You can add user data to the FormsAuthenticationTicket, then generate the cookie yourself. There’s an example in the the MSDN documentation for FormsAuthenticationTicket. EDIT Note that when creating the ticket, you need to set the timeout, which in general you will want to be the same as the value configured in web.config. Unfortunately, in the … Read more
This is why many systems include timers on the page to give approximate timeout times. This is tough with interactive pages. You really need to hook ajax functions and look at the return status code, which is a bit difficult. One alternative is to use code based on the following which runs early in the … Read more
In MVC you normally use the [Authorize] attribute to manage authorization. Controllers or individual actions that are dressed with that attribute will require that the user is authorized in order to access them – all other actions will be available to anonymous users. In other words, a black-list approach, where actions that require authorization are … Read more