I'm developing a site where an admin user will be able to login as other user types in the system. I there for have a need to track a current "display" user and the current "logged in" user. The most obvious place seems to be session but then you have challenges keeping the session timeout in sync with the authentication timeout.
See my question here: MVC session expiring but not authentication
What are the best practices for handling this kind of a scenario?
Besides the usual web.config settings for timeouts/security:
Here's how I handle this in my controllers:
And then for my LogOut() controller method I say:
For processing cookies I have: