My problem is that for some reason the Authorize takes a cookie that is deleted and allows me to put post get whatever is unloved using that same cookie from postman. I leave the code of login, logout and authentication
<authentication mode="Forms">
<forms loginUrl="~/Home/Login" timeout="10" slidingExpiration="true" name="Auth" />
</authentication>
[HttpPost]
[AllowAnonymous]
[CaptchaValidation("CaptchaCode", "BotCaptcha", "Incorrect CAPTCHA code!")]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginViewModel model)
{
if (ModelState.IsValid)
{
var Localprovider = (AccountMembershipProvider)Membership.Provider;
var res = Localprovider.ValidateUser(model.UserName, model.Password);
if (res)
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
var sessionCookie = HttpContext.Request.Cookies["Session"];
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError("", "Usuario y/o contraseña incorrecta");
}
}
else
{
var CaptchaError = ModelState.Keys.Where(k => k == "CaptchaCode").Count();
if (CaptchaError > 0)
{
ModelState.AddModelError("", "Código de seguridad incorrecto");
}
}
MvcCaptcha.ResetCaptcha("BotCaptcha");
MvcCaptcha.ResetCaptcha("CaptchaCode");
return View(model);
}
[AllowAnonymous]
public ActionResult Logout()
{
MvcCaptcha.ResetCaptcha("BotCaptcha");
MvcCaptcha.ResetCaptcha("CaptchaCode");
ViewBag.Message = "Logout";
try {
Response.Cookies.Clear();
FormsAuthentication.SignOut();
HttpCookie c = new HttpCookie("Session");
c.Expires = DateTime.Now.AddYears(-1);
Response.Cookies.Add(c);
Session.Clear();
return RedirectToAction("Login", "Home");
}
catch
{
}
return View("Logout");
}