Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 26, 2012 03:34 PM by BrockAllen
Nov 24, 2012 04:47 PM|LINK
I deleted all the stuff from these tables but didn't log out.
select * from AspMembership.dbo.aspnet_Membership
select * from AspMembership.dbo.aspnet_Profile
select * from AspMembership.dbo.aspnet_Users
I refreshed the page so how come my (User.Identity.IsAuthenticated) still returns true?
Nov 24, 2012 06:19 PM|LINK
Because the user is authenticated due to the token they're presenting on the web request. The token is a cookie and the cookie contains the username. They will be authenticated unitl that cookie expires or is destroyed. It has nothing to do with the database.
Nov 26, 2012 03:06 PM|LINK
Does that mean that anyone can create a fake authenticated cookie?
Nov 26, 2012 03:17 PM|LINK
No the cookie contains a token that is signed with a key that only the server has.
Nov 26, 2012 03:29 PM|LINK
so how does the app know its valid? what is the result?
Nov 26, 2012 03:34 PM|LINK
This is all part of forms auth in ASP.NET. I suggest you read up: