It seems I was not expressing my question well, so I am adding this as a supplemental title: How can I extend the FormsAuthentication class so that I can override default behaviors in a configuration file (for example, pass off execution control to the MembershipProvider for updating the MembershipUser’s LastActivity on a new page request), and, failing that, replace the mechanism of the FormsAuthentication class with my own custom class and use that as the FormsAuthentication class would normally be used?

How do we implement a less ridiculously rigid, more extensible FormsAuthentication framework that will allow us to integrate into a custom MembershipProvider? Has there been any work on this? Ultimately, I’d like to put in my web.config something like this:

<authentication mode="Forms">
    <forms membershipProvider="MyCustomMembershipProvider">
        <events>
            <add event="AuthenticatedRequest" action="OnAuthRequest" />
            <add event="UnAuthenticatedRequest" action="OnRequest" />
            <add event="UnAuthorizedRequest" action="UnAuthRequest" />
        </events>
    </forms>
</authentication>

This shouldn’t be taking up all my time. The Forms Authentication seems to be pretty low-level in the ASP.NET page lifecycle, but there’s got to be a way to cleanly circumvent it.

This is not about the custom membership provider. I want to implement things in my membership provider class like the implied “IsOnline” and “LastActivity” functionality, but the FormsAuthentication sets the cookie and doesn’t look back. I want to inject my own code when it checks that cookie, but I can’t. There has to be a way other than layering my own cookie on top.