why does authenticateRequest fire on a page when user is logged out?

Question

Hi,

My goal is to write a cookie when the user authenticates. We are using a crappy framework that hides its source code and event model so when I use their login control I can't set a session timeout on it!

Anyhow, I am trying to write a cookie when the user is logged in, and then refresh the cookie expire time on subsequent page views (sliding expiration).

So I figured I could initially create the cookie during Application_AuthenticateRequest in teh global.asax but that seems to be firing even when the user hasn't signed in yet.

Is that suppose to be the case?

Answer 1

Yes. The Application_AuthenticateRequest will occur everytime a request hits the website. The AuthenticateRequest as well as doing the authentication will also check and return if Authorisation is to happen for the page. Some pages need to be excluded from authentication and authorisation checks, such as the login page.

For your situation you should also check the page and exclude those that are involved in the login sequence.

Answer 2

The Application_AuthenticateRequest fires on each request, but if you are using forms authentication and the user haven't logged in yet, you will find that the User property of the HttpContext (accessed through this.User in the global application class file) evaluates to null, while it will evaluate to an IPrincipal object if the user is logged in.

So you can do something like this:

Private Sub Application_AuthenticateRequest(ByVal pObjSender As Object, ByVal pEaDummy As EventArgs)
    If Me.User IsNot Nothing AndAlso Me.User.Identity.IsAuthenticated Then
        If Me.Request.Cookies("authCookieName") Is Nothing Then
            ' Create cookie
        Else
            ' Update cookie
        End If
    End If
End Sub

where authCookieName is the cookie name.