I have a web site which uses both windows and forms authentication, I link them together by a table called tblUsers which basically looks like this:-
ID AuthenticationType LoginName
1 Forms r_dargan
2 NTLM s_jones
(Sorry for the crappy table... getting more and more sick of blogger!)
I then have a security business object which basically does the following:-
public int GetUserID()The Problem:
if(Session["UserID"] == null)
//Get the user ID, and set Session["UserID"]
This works great until one user logs out and another logs in on the same browser. What was happening was that the userID was persisting across logged in users.
The reason for this is because Session run across a browser session, not a users logged in session, so Session["UserID"] was not nulled when the user logged out.
Quite easy actually, I added an event to the "logging out" event on the logout control which cleared the session! (Session.Clear())