ASP.Net; How to ignore or remove the Forms Authentication cookie when using Basic Authentication?
Question
I have a web forms asp.net website, and I am trying to bolt on an API. I have managed to add some code in Global.ASAX Application_AuthenticateRequest() to spot URL's starting with API, such that API requests correctly route to Web API 2 controllers.
I create a security principal in Application_AuthenticateRequest(), and I use [Authorize] attribute to block unauthenticated access to the API classes.
I think a cookie is still being used though. Once I have authenticated one API request, via the browser challenge, I am not challenged again. I have to close the browser to force the browser to drop the cookie, and only on a new instance of the browser do I get a challange.
It is not a big problem, but it is something that I should know about and be able to control. I am aware that this has only come about because I am using Forms Auth by default, because this started as a forms project, and is mutating into forms+basic.
How can I get the basic authentication flow going so that the forms cookie details are (conditionally) removed, or ignored?
IDE is VisualStudio 2015 Community, project is ASP.Net + WebAPI2, targetting .Net 4.6.1, running under IIS 7.5, on Win Server 2008 R2
1 answers
solution1
0 2016-01-21 07:37:59
The easiest way to do that is through authentication.form.timeout in web.config. you can set a small value to expire the cookie. Otherwise, you have to implement your authentication filter. This article should be helpful.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.