Nick Karnik - 53 - Sep 28, 2014

I need clarification on the /auth/credentials call. A user logs in successfully and closes the browser. Then, the user comes back to the app and is presented with the login screen. If there’s an existing session present on the database (and a cookie on the client), the user can login simply by entering their login name and junk password.

Why does it behave that way? Is there a setting I need to make? Ideally, I want to take advantage of the “remember me” feature by storing a cookie. However, if the user happens to come across a login page, I want them to enter the correct credentials.

What should I be checking in the return value to distinguish between a correct login vs. incorrect? Thanks!

Nick Karnik:

Thanks for the clarification and pointers.

It short-circuits if the Login already matches the authenticated session. You can change this by Logging out or clearing the session when loading the Login Page.

If logging out first, you can change the redirect url, i.e. you can logout and redirect to the /login page with /auth/logout?continue=/login other options to redirect are mentioned at:

Otherwise you can clear the session with the RemoveSession() extension method on the IRequest or Service types.