Question on re-authenticate design

When I login again to an already logged in account, but using the wrong password, it remains authenticated.

For example,

Go to
Login as “test” “test” so it says “Authenticated”
Login again as “test” “notmypassword”, still says Authenticated

Can you tell me if this is by design? Shouldn’t any re-authentication attempt clear the current one?

If so, where is the best place for me to hook into this to override it and clear down the session on a new attempt.



Yeah it short-circuits if you’re already authenticated so the invalid auth wasn’t attempted. You’d need to logout first.


We have a use-case where a re-authentication for confirmation needs to occur, and I was just popping up a login and making them login again, but because of short-circuit it always accepts it.

I don’t really want to log the user out completely beforehand, but don’t want them to proceed if they use the wrong password (and log them out in this case).

Seems like overriding IsAuthorized of my CredentialsAuthProvider is the best place?

Your custom AuthProvider wont get called if they’re already authenticated.

Sounds like you just want to logout on any Authentication attempt? In which case you can add a Global Request Filter to log the user out for any POST Authenticate request, e.g something like:

GlobalRequestFilters.Add((req,res,dto) => {
    if (dto is Authenticate && req.Verb == HttpMethods.Post)

Yes, exactly what I wanted. Thanks.

Your custom AuthProvider wont get called if they’re already authenticate

That confuses me, as mine is being called. What I had tried was…

public override bool TryAuthenticate(IServiceBase authService, string userName, string password)
	// remove any existing authenticatored user
	if (authService.GetSession().IsAuthenticated)


public override bool IsAuthorized(IAuthSession session, IAuthTokens tokens, Authenticate request = null)
	// force a re-Authentication if there are credentials
	if (string.IsNullOrEmpty(session.UserAuthId) == false && request != null)
		return false;

	return base.IsAuthorized(session, tokens, request);

Your solution was the one liner I was looking for though.

Yeah it calls IsAuthorized() first to determine whether to TryAuthenticate or not. The default impl is to return true for authenticated users which will short-circuit Authentication.