I overrode Application_AuthenticateRequest() in my Global.asax to try to understand the event flow better. I’m using the Membership Provider that comes with the default MVC2 application.
I thought if I did this:
public void Application_AuthenticateRequest(object sender, EventArgs args)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
authCookie.Expires = System.DateTime.Now.AddDays(-1); // Set the cookie expires time in order to delete it
Response.Cookies.Add(authCookie);
}
}
A user could log in, but upon the page loading after they submit the login form, they would show up as not logged in since I destroyed their auth cookie.
However that is not the case. Instead they can successfully log in and it will show them logged in when the page loads. The next page they hit will log them out.
I thought I didn’t destroy their cookie in time, so I placed that code into Application_BeginRequest() inside of my Global.asax. It produced the same results.
Does this mean I still did not destroy their cookie in time, or am I not properly understanding the flow of events?
There a two cookie collections used here; Request.Cookies and Response.Cookies
Request.Cookies are cookies that have come from the browser for the current page. Most/all processes read from this collection.
Response.Cookies are the cookies that are going to be sent back to the browser. When you set the Expires value on the Response cookie, it first has to go back to the browser, the browser sees it has expired and then there will be no cookie on the next page.
You can try to set the Request.Cookies, but i believe it is read-only.