I have a web forms asp.net website, and I am trying to bolt on an API. I have managed to add some code in Global.ASAX Application_AuthenticateRequest() to spot URL's starting with API, such that API requests correctly route to Web API 2 controllers.
I create a security principal in Application_AuthenticateRequest(), and I use [Authorize] attribute to block unauthenticated access to the API classes.
I think a cookie is still being used though. Once I have authenticated one API request, via the browser challenge, I am not challenged again. I have to close the browser to force the browser to drop the cookie, and only on a new instance of the browser do I get a challange.
It is not a big problem, but it is something that I should know about and be able to control. I am aware that this has only come about because I am using Forms Auth by default, because this started as a forms project, and is mutating into forms+basic.
How can I get the basic authentication flow going so that the forms cookie details are (conditionally) removed, or ignored?
IDE is VisualStudio 2015 Community, project is ASP.Net + WebAPI2, targetting .Net 4.6.1, running under IIS 7.5, on Win Server 2008 R2
