Session not matched after calling AuthenticateService

darrenshrwd · May 4, 2016, 3:17am

I am changing an unauthentciated users password via a ‘token’ email link and want the user to be logged in after, I am pretty sure my code used to work, but now IsAuthenticated is true…and then false (latest version)…

    [System.Web.Mvc.Route("change-password")]
    public async Task<ActionResult> ChangePassword(string usr, string code)
    {
        if (usr == null || code == null)
        {
            return View("Error");
        }

        var userUtil = UserUtil.InstantiateByEmail(usr);

        // does a token-based password update if code matches
        var model = await userUtil.ResetPasswordAfterCheckCodeAsync(code);
        if (model != null)
        {
            using (var authService = HostContext.ResolveService<AuthenticateService>())
            {
                var response = authService.Post(new Authenticate
                {
                    provider = AuthenticateService.CredentialsProvider,
                    UserName = model.Email,
                    Password = model.Password,
                    RememberMe = model.RememberMe
                });

                // (session.IsAuthenticated = true)
                var session = (CustomUserSession)authService.GetSession(false);
                
                SaveSession(session); // Doesn't help the issue below
                Response.Cookies.Add(UserUtil.CreateFormsCookie(model.Email, model.RememberMe, session));
            }

            // For both session1/session2 .IsAuthenticated is now false
            var session1 = (CustomUserSession)GetSession(false); 
            var session2 = (CustomUserSession)GetSession(true);

            if (IsAuthenticated) // = false
            {
                return Redirect("account/password"); //Redirect to change to their own password
            }
        }
        return View("Error");
    }

darrenshrwd · May 4, 2016, 3:32am

Note that if I FLUSHALL in redis and run repeatedly I can see the session has isAuthenticated true so guessing issue with http context somehow.

darrenshrwd · May 4, 2016, 3:51am

Ok close this…elsewhere I had the rememberMe = false

Now I kind of know what that is for, I’ll just set it true always!

darrenshrwd · May 4, 2016, 3:58am

Having said that it was always false before and used to work, ideally would like to know what changed.

Does it mean anything other than ‘send cookie to client’?

mythz · May 4, 2016, 4:08am

RememberMe says whether to save the Users Session against the temporary ss-id or the permanent ss-pid cookie.