MSDN says:
The LoggedIn event is raised after the
authentication provider checks the
user's credentials and the
authentication cookie is queued to
send to the browser in the next
response. Use the LoggedIn event to
provide additional processing, such as
accessing per-user data, after the
user is authenticated.
So this event seems to be the right place to replace cookies. Firstly, the cookie need to be retrieved and decrypted:
HttpCookie authCookie = Response.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket oldAuthTicket =
FormsAuthentication.Decrypt(authCookie.Value);
right after this, the new authentication ticket based on just extracted should be created:
FormsAuthenticationTicket newAuthTicket = new FormsAuthenticationTicket(
oldAuthTicket.Version,
oldAuthTicket.Name,
DateTime.Now,
DateTime.Now.Add(timeoutForUser),
oldAuthTicket.IsPersistent,
oldAuthTicket.UserData,
FormsAuthentication.FormsCookiePath
);
timeoutForUser
here is a TimeSpan
value that holds the session timeout for the user.
And finally, the old cookie in the response should be replaced with the new one:
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
HttpContext.Current.Response.Cookies.Set(authCookie);
This should do the trick.