Developing an ASP.Net MVC 4 website with SimpleMembership, a GET login controller is sometimes called even if the user is logged in. So far this has happened only during development (we are not yet in QA) and only after changing the .cshtml page. This happens some time after changing the .cshtml page, but not sequentially.
I added logging to the Login() method provided by the template and see that the user is truly authenticated and has all the roles that a user logged into the system must have.
[AllowAnonymous] public ActionResult Login(string returnUrl) { if (User.Identity.IsAuthenticated) { logger.Error("User " + User.Identity.Name + " is authenticated shown login form. Roles: " + string.Join(", ", Roles.GetRolesForUser(User.Identity.Name)));
Questions
- What causes this behavior?
- This can happen in a production system, for example. if the application domain is redesigned?
- Is bypassing the call to
WebSecurity.Logout() before returning the login sound from a security point of view?
source share