Who sets the IsAuthenticated property of the HttpContext.User.Identity

asp.net-mvc authentication forms-authentication
Elisabeth picture Elisabeth · Dec 28, 2011 · Viewed 25.6k times · Source

This code is from the asp.net mvc RTM source code

Who sets the IsAuthenticated property of the HttpContext.User.Identity ?

   protected virtual bool AuthorizeCore(HttpContextBase httpContext) {
        if (httpContext == null) {
            throw new ArgumentNullException("httpContext");
        }

        IPrincipal user = httpContext.User;
        if (!user.Identity.IsAuthenticated) {
            return false;
        }
    }

Is the IsAuthenticated property set by calling the method (asp.net mvc 4.0 sample project):

FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

When I debug the code of the LogOn method of the asp.net mvc 4.0 sample project after the above FormsAuth... method call. The execution of

User.Identity.IsAuthenticated

is still returning FALSE. Only when I debug the LogOff method the 

User.Identity.IsAuthenticated

says TRUE. So who is setting this property to TRUE and WHEN ?

UPDATE:

This is about FORMS authentication!

I did now debug the LogOn method of the asp.net mvc sample project and after the LogOn action is returned my AuthorizeCore method I have overridden is called and then the IsAuthenticated property is TRUE!

Does setting of TRUE depend maybe of the ModelState.Value.Error collections ?

If count == 0 in the error collections the IsAuthenticated is TRUE else the IsAuthenticated is FALSE

Can you confirm that?

Answer

Darin Dimitrov picture Darin Dimitrov · Dec 29, 2011

This property is set by the forms authentication module by reading and parsing the forms authentication cookie from the request. I've put request in bold because I suspect that's the reason why you are observing this behavior. Let me explain. When you call FormsAuthentication.SetAuthCookie upon successful authentication you are adding the authentication cookie to the response. This cookie will be stored on the client browser and will be sent on subsequent requests. So it is only on subsequent requests that the user will be considered as authenticated. So you need to always redirect after calling the SetAuthCookie method. Inside the request that called this method you already know whether the user provided correct credentials so you don't need to check the IsAuthenticated property.

Related questions

How to redirect to a dynamic login URL in ASP.NET MVC

I'm creating a multi-tenancy web site which hosts pages for clients. The first segment of the URL will be a string which identifies the client, defined in Global.asax using the following URL routing scheme: "{client}/{controller}/{action}/{id}" This …

Read More
Store/assign roles of authenticated users

I am upgrading a site to use MVC and I am looking for the best way to set up Authentication. At this point, I have the log-in working off of Active Directory: validating a username and password, and then setting …

Read More
ASP.NET - Redirect to Error Page if Roles Authorization Fails

I am using MVC 3 with Forms Authentication. On my controller or methods, I am doing the following: [Authorize (Roles = "developer")] In this situation, I want to check if the user is logged in and if not, return them to the …

Read More