I’ve created a CustomCredentialsAuthProvider class that is overloading the TryAuthenticate method. If this method throws an exception, instead of catching all errors and just returning false for the Authenticate, the Cookie still gets created and sent in the response. Is this intended? I would think that if this method crashes, then authentication has failed an no cookie is created.
Cookies are always created when you access the session, clients don’t have to be authenticated to access the session.
Bruce Hunter:
ah, ok thanks