Session not matched after calling AuthenticateService

I am changing an unauthentciated users password via a ‘token’ email link and want the user to be logged in after, I am pretty sure my code used to work, but now IsAuthenticated is true…and then false (latest version)…

    public async Task<ActionResult> ChangePassword(string usr, string code)
        if (usr == null || code == null)
            return View("Error");

        var userUtil = UserUtil.InstantiateByEmail(usr);

        // does a token-based password update if code matches
        var model = await userUtil.ResetPasswordAfterCheckCodeAsync(code);
        if (model != null)
            using (var authService = HostContext.ResolveService<AuthenticateService>())
                var response = authService.Post(new Authenticate
                    provider = AuthenticateService.CredentialsProvider,
                    UserName = model.Email,
                    Password = model.Password,
                    RememberMe = model.RememberMe

                // (session.IsAuthenticated = true)
                var session = (CustomUserSession)authService.GetSession(false);
                SaveSession(session); // Doesn't help the issue below
                Response.Cookies.Add(UserUtil.CreateFormsCookie(model.Email, model.RememberMe, session));

            // For both session1/session2 .IsAuthenticated is now false
            var session1 = (CustomUserSession)GetSession(false); 
            var session2 = (CustomUserSession)GetSession(true);

            if (IsAuthenticated) // = false
                return Redirect("account/password"); //Redirect to change to their own password
        return View("Error");

Note that if I FLUSHALL in redis and run repeatedly I can see the session has isAuthenticated true so guessing issue with http context somehow.

Ok close this…elsewhere I had the rememberMe = false

Now I kind of know what that is for, I’ll just set it true always!

Having said that it was always false before and used to work, ideally would like to know what changed.

Does it mean anything other than ‘send cookie to client’?

RememberMe says whether to save the Users Session against the temporary ss-id or the permanent ss-pid cookie.