In your code you create cookies and then check it. There should be different scenarios:
- If there are no cookies you authenticate user via form and set cookies
- If cookies are presented you use cookies' value
Example
Private Sub cmdLogin_ServerClick(sender As Object, e As System.EventArgs)
If ValidateUser(txtUserName.Value, txtUserPass.Value) Then
Dim tkt As FormsAuthenticationTicket
Dim cookiestr As String
Dim ck As HttpCookie
tkt = New FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now, DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data")
cookiestr = FormsAuthentication.Encrypt(tkt)
ck = New HttpCookie(FormsAuthentication.FormsCookieName, cookiestr)
If chkPersistCookie.Checked Then
ck.Expires = tkt.Expiration
End If
ck.Path = FormsAuthentication.FormsCookiePath
Response.Cookies.Add(ck)
Dim strRedirect As String
strRedirect = Request("ReturnUrl")
If strRedirect Is Nothing Then
strRedirect = "default.aspx"
End If
Response.Redirect(strRedirect, True)
Else
Response.Redirect("logon.aspx", True)
End If
End Sub
in global.asax
Protected Sub FormsAuthentication_OnAuthenticate(sender As [Object], e As FormsAuthenticationEventArgs)
If FormsAuthentication.CookiesSupported = True Then
If Request.Cookies(FormsAuthentication.FormsCookieName) IsNot Nothing Then
Try
'let us take out the username now
Dim username As String = FormsAuthentication.Decrypt(Request.Cookies(FormsAuthentication.FormsCookieName).Value).Name
'let us extract the roles from our own custom cookie
Dim roles As String = DBHelper.GetUserRoles(username)
'Let us set the Pricipal with our user specific details
e.User = New System.Security.Principal.GenericPrincipal(New System.Security.Principal.GenericIdentity(username, "Forms"), roles.Split(";"C))
'somehting went wrong
Catch generatedExceptionName As Exception
End Try
End If
End If
End Sub
See complete example here