In an ASP.NET (2.0) application I use FormsAuthentication.

In the Global.asax / Application_AuthenticateRequest method I check if HttpContext.Current.User is null.

Is this enough to know if the forms authentication cookie exists, the ticket is not expired, and overall, that the forms authentication mechanism has done its job to validate the user?

I need this, because I have certain pages in that application, which sometimes do not need authentication to be accessed (based on some criteria), and I put them in a separate ‘location’ directive in web.config with in order to exclude them from ‘catch all’ forms authentication.

I.e. I’m trying to check in Application_AuthenticateRequest if the page accessed in this ‘location’ needs protection or not, and if yes, to know if the user have been authenticated already, or I need to redirect to Logon.

EDIT: As the answers suggest, most probably I’ll go with IsAuthenticated. In order for me to grasp it better, here are 2 bonus questions 🙂 (please, edit other answers to add these, thanks) :

1. Can I assume that if IsAuthenticated is true, then HttpContext.Current.User will for sure contain the username for the authenticated user?

2. How can I end up with an ‘anonymous user’ in HttpContext.Current.User, if FormsAuthentication is enforced, and only few pages are excluded with ‘location’ directive?