0

preview: In my web.config - I don't use forms authentication. I set forms cookie myself.

However - Sometimes I see code like this : 

/*1*/   protected void Application_AuthenticateRequest(Object sender, EventArgs e)
/*2*/    {
/*3*/     if (HttpContext.Current.User != null)
/*4*/       {
/*5*/        if (HttpContext.Current.User.Identity.IsAuthenticated)
/*6*/          {
/*7*/              //...
/*8*/              HttpContext.Current.User = ....
/*9*/              //...
/*10*/          }
/*11*/        }
/*12*/   }

Looking at line #5

How can it ever be authenticated if line#8 is about to set authentication ?

I mean - line #8 is the one who set authentication for that specific request and when the request is finished , there is no "memory" for future requests. ( cookie expiration is merely - for how long to keep the persistent cookie).

Question

  • In what scenarios would line #5 return true ?
  • In what scenarios would line #3 would be null ?

nb , this question assumes that begin_request event is not setting anything , and the only stage where authentication is set is on Application_AuthenticateRequest. — I don't use membership engine.

placeholder :

http://msdn.microsoft.com/en-us/library/aa289844(v=vs.71).aspx

enter image description here

leppie
  • 115,091
  • 17
  • 196
  • 297
Royi Namir
  • 144,742
  • 138
  • 468
  • 792

1 Answers1

1

Line #3 can become null if the login cookie expires. Line #5 is true if the user is logged in.

It can seem like these two methods go hand-in-hand and in fact they do. It can be easier to check for HttpRequest.IsAuthenticated. For more information see here:

asp.net membership IsApproved false but still allowing login

And here:

http://msdn.microsoft.com/en-us/library/system.web.httprequest.isauthenticated%28loband%29.aspx

I do not have an answer to your main question though. Sorry.

In addition to my comment below you may find this link helps explain the abilities of adding roles to existing principles. http://msdn.microsoft.com/en-us/library/vstudio/5k850zwb%28v=vs.100%29.aspx

Community
  • 1
  • 1
Craig Moore
  • 1,093
  • 1
  • 6
  • 15
  • As you said , This is not an answer. line #8 is **about to set** authentication. so it seems that line `#3` at stage `N` remembers the authentication from stage `N-1` ( ps I dont use membership) – Royi Namir May 18 '14 at 07:10
  • I have been through the link you have provided and I think you have missed what the routine is doing. Line #8 is not setting authentication, after all it is reapplying the existing identity to the new princple it is generating. The link you proivded even explains it. The new principle is a copy of the old principle but the new one contains the roles associated with the user account. This is because you cannot add roles to the roles object of an existing principle object. – Craig Moore May 18 '14 at 07:32
  • Craig , the act of setting Iprincipal object into `context.User` _IS_ what cause IsAuthenticate to get true/false. so it does set authentication. However I think I know what's my problem. I don't use forms authentication at the whole site. I set it regular and each request - I set Context.User with value. BUT(!) with forms authentication , it does it automatically. hence the _if_ condition. – Royi Namir May 18 '14 at 07:34
  • Re-Reading your comment- you're right.it is merly to add roles - But (another question). Roles are NOT kept in the cookie. so where does it gets them from ? – Royi Namir May 18 '14 at 08:21
  • **PS I think I know what happens. (please ack)** they store the Roles in the cookei as a Userdata property. (which is a bad thing becuase he cookie size is increased due to more data). what I(!) have done is to keep the roles information in the cache in dictionary. so I only need from the cookie - the Identification of the user , then onAuthenticate - I attach to Context.User - the data from the cache. – Royi Namir May 18 '14 at 08:31
  • 1
    Yes this sounds correct. By storing the information in a dictionary and then pulling that based on the user cookie you get their role data that way. Provided that you are attaching the role data to the Context.User object everything should work correctly. You may have a performance hit depending on where you store the dictionary but ultimately it should be negligable. – Craig Moore May 18 '14 at 10:29
  • PS - At what stage Forms authentication put the value in Context.User ? – Royi Namir May 18 '14 at 10:30
  • I honestly do not know. – Craig Moore May 18 '14 at 10:33