I’ve found an MSDN article which is perhaps the most helpful I’ve yet seen on the sequence and workings of the IIS integrated pipeline. But it raises interesting questions regarding authentication.

Forms Authentication is shown as “executing” very early in the pipeline. The “Execute” handler, such as for ASP.NET MVC routing and controller execution, is shown much later. But all too often the authentication story for ASP.NET MVC looks like this:

public ViewResult Login(LoginModel login)
{
    if (ModelState.IsValid)
    {
        if (Membership.ValidateUser(...)){
            FormsAuthentication.SetAuthCookie(...);
        }
    }
    //...
}

The above code suggests that (forms) authentication occurs during the “Execute” handler stage, not the much earlier “Authentication” IIS stage.

Can somebody clarify this seeming discrepency?

My own guess about this is that the IIS “authentication” stage will execute FormsAuthenticate.Authorize(…), when indicated, if no membership provider has been configured by me. But if I configure my own membership provider, then the IIS “authentication” stage effectively does nothing – and waits for the “execute” stage so that my own authentication code can execute.

If my guess is correct, then if I’ve configured my own membership provider, it means that the “Acquire State” IIS stage will also not function as expected: it will not yet “see” session established because session won’t be established until I have done my authentication step inside my MVC controller. Or perhaps the “Authenticate” and “Acquire State” related application events will “hold-off” and not be raised until my controller has executed its authentication code?

Yes? No?