I am using both Windows and Forms Authentication in Web Application.Both Authentication schemes are enabled in IIS. We explicitly sets the Forms Cookie after the Windows authentication is succeeded as the application rely on Forms cookie .This all works as expected.
The problem is even after I logout after logged in as Windows user,the new request(Login.aspx) still has the Context.User as my Windows Principal.
Even though inside login I still create a new Forms cookie , the Asp.net Profile object still has the Windows Principal as the User.Since we use the Profile object throughout the application it shows up a different user other than the one that is logged in
I am wondering why this is happening ? Do we need to do something on logout to prevent IIS from passing the security token for the next request that goes to Login.aspx
Do I need the set the Context.User manually on every request on FormsAuthentication_OnAuthenticate
by reading the cookie and setting the Context.User to the Userdata inside Cookie
I am doing document.execCommand("ClearAuthenticationCache") at logout
EDIT: Now i have more details : In the Application Begin Request , the Content.User is coming as null . But when the request reaches FormsAuthentication_OnAuthenticate the Context.User is set to the Windows principal.I have no clue what event sets that and how could i prevent that ?
EDIT :
I have found that the Context.User is null inApplication_BeginRequest but it gets set to the Windows principal inside `FormsAuthentication_OnAuthenticate
Finally i have figured out the issue . The real issue is setting up the entire root folder to use Windows and Forms Authentication. Ideally you need to have a separate Login page for Windows(WinLogin.aspx) and set up Win and forms Authentication only for this page.For the rest of the app set Forms Authentication only.The WinLogin should then create a Forms Cookie and redirect to the rest of the application.
The following SO question helped me in figuring this out : Mixed Mode Authentication