I have an ASP.NET 3.5 application that uses Forms Authentication. When first launching a browser, everything works correctly (login, access protected pages, logout).
After SignOut(), no user can use the app without closing the browser (tested IE and Safari). Specifically, after the next user logs in, the response is redirected to the app's public home page and not to the private page.
- I've verified that the auth cookie is no longer present.
- The code path is the same in both cases
- I do use a Login control but I manually control the login process (auth, ticket, and redirect)
- At login, the Session ID is changed
- This behavior exists regardless of whether I am using a developer server or a production server
Everything appears to be correct but the user is always redirected to the app's home page. (I have a default.aspx file that is not used; it performs a redirect on load but this code is never called)
I use the FormsAuthentication SignOut() routine, I Abandon() the session, I've verified that my cookies and the auth cookie are no longer present, and I've checked the Response redirect URL - What else controls the final page after login? And, since the session is new, what else does the server manage that could interfere with authenticating a second user?