Home/ Questions/Q 8090511
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T19:44:52+00:00

Setup I am using custom Forms Authentication – all standard stuff. In the Login

  • 0

Setup

I am using custom Forms Authentication – all standard stuff.

In the Login action on my Account controller,

  • I check the user’s details against the db
  • If successful I create a Forms Authentication ticket
  • Store the logged in members db row id in UserData in the ticket
  • Encrypt the ticket
  • Store the ticket in a cookie
  • Add the cookies to the Reponse.Cookies collection
  • Redirect to Index Action on Home Controller

I registered a handler in global asax for the AuthenticateRequest event. In my handler,

  • I retrieve the cookie from HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
  • If the cookie exists I decrypt the value of the Forms Authentication ticket in the cookie
  • Retrieve the user’s details from the db using the Id stored in the authentication ticket UserData.
  • Create a custom principal and set the user (it has a custom LoggedInUser property) to the user I retrieved from the db.
  • Set the HttpContext.Current.User to the custom principal

Problem

I debug a request for the home page after I have logged in and note that the AuthenticateRequest handler in global.asax is hit more than once per page request. I’ve checked the HttpContext.Current.Request.Path and this is because each resource on my page (effectively, every HTTP GET) is firing the authenticate requet, so, GET jquery.js, GET logo.png etc…

Question

On the first handled AuthenticateRequest I go to the db and then set the HttpContext.Current.User to my custom principal. What would be a good way to avoid going to the db for subsequent HTTP GETs that cause the AuthenticatRequest to fire. Effectively, authenticate once and once only until the user closes their browser or until the Authentication Ticket expires.

TIA

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Instead of using the AuthenticateRequest method in your Global.asax I would recommend you writing a global action filter. This way the action filter will apply only before executing some action and populate the User. In fact a custom [Authorize] attribute is the best way to achieve that:

    public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var authorized = base.AuthorizeCore(httpContext);
        if (!authorized)
        {
            return false;
        }

        // TODO: go ahead and work with the UserData from the authentication cookie
        // basically all the steps you described for your AuthenticateRequest handler
        // except for checking the presence of the forms authentication cookie because
        // we know that at this stage it exists and the user was successfully authorized

        return true;
    }
}
    • 0