tags:

views:

1312

answers:

4
+4  Q: 

Is (HttpContext.Current.User != null) enough to assume that FormsAuthentication has authenticated the user

In an ASP.NET (2.0) application I use FormsAuthentication.

In the Global.asax / Application_AuthenticateRequest method I check if HttpContext.Current.User is null.

Is this enough to know if the forms authentication cookie exists, the ticket is not expired, and overall, that the forms authentication mechanism has done its job to validate the user?

I need this, because I have certain pages in that application, which sometimes do not need authentication to be accessed (based on some criteria), and I put them in a separate "location" directive in web.config with in order to exclude them from "catch all" forms authentication.

I.e. I'm trying to check in Application_AuthenticateRequest if the page accessed in this "location" needs protection or not, and if yes, to know if the user have been authenticated already, or I need to redirect to Logon.

EDIT: As the answers suggest, most probably I'll go with IsAuthenticated. In order for me to grasp it better, here are 2 bonus questions :) (please, edit other answers to add these, thanks) :

  1. Can I assume that if IsAuthenticated is true, then HttpContext.Current.User will for sure contain the username for the authenticated user?

  2. How can I end up with an "anonymous user" in HttpContext.Current.User, if FormsAuthentication is enforced, and only few pages are excluded with "location" directive?

+2  A: 

I usually use Request.IsAuthenticated. I couldn't tell you whether your approach should work or not. It sounds like it should, although it might have side effects if you support anonymous logins?

Kevin Pang  2009-01-21 18:51:12
+12  A: 

No, the User could just be a reference to the anonymous user. Check HttpContext.Current.Request.IsAuthenticated.

bdukes  2009-01-21 18:51:42
Thanks. I got the idea to use the "standard" way, but just as a side question - how could it be "anonymous" user?
Sunny  2009-01-21 18:57:57
If the website allows for anonymous access (meaning not even Basic Authentication is used) then the user is considered anonymous. IIS typically assigns a "user" when somebody arrives in this manner, but it is set to the IUSR_MachineName or something else.
Dillie-O  2009-01-21 19:11:53
+1  A: 

Good question: in addition to the answers others have given, I'd suggest that you take a look at this article on the 4GuysFromRolla site.

Mark Brittingham  2009-01-21 18:51:55
A: 

As an aside, be sure to check the context is not null as well (incase your working in an httpmodule).

ccook  2009-01-21 19:06:23

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?