HttpContext.User is set correctly, then lost / replaced by the following request

Question

HttpContext.User is set correctly, then lost / replaced by the following request

I have implemented a custom one AuthCheckAttribute

and used it globally in my application.

I have verified that the control flow is correct and AllowAnonymousAttribute

enforced as expected .

In my login action handler, I set the current one User

like this:

//This user is an NHibernate entity representing a user of the
//app. AuthUser takes the Identity.Name from here.
HttpContext.User = AuthUser.CreateAuthUser(user);

If the username: password combination is valid, AuthUser.CreateAuthUser()

returns IPrincipal

with IIdentity

, which returns true

for IsAuthenticated

.

After that, the Login action handler is redirected to the page the user was originally from, and now the AuthCheckAttribute.OnAuthentication()

method context.HttpContext.User

is instantiated System.Security.Principal.WindowsPrincipal

(and IsAuthenticated

returns false), not AuthUser

as I set in my login handler.

What am I doing wrong? The problem seems to be that the User

one set in the Login action handler is lost / replaced by the execution time that reaches again AuthCheckAttribute.OnAuthentication()

.

I have classes AuthUser : IPrincipal

and AuthIdentity : IIdentity

. The call AuthUser.CreateAuthUser(user)

launches the classes correctly AuthUser

and AuthIdentity

therefore no problem.

Configuration: MVC5, .Net 4.5

+3

c # .net asp.net-mvc-5

markvgti June 30. 15 at 8:55

source to share

1 answer

Jason gerard · Answer 1 · 2015-07-06T14:36:50+0000

No session required. You can only store HTTP cookies only in the browser with an encrypted user ID. In your filter, check for this cookie and use the stored user id to reload the user and set it to the HttpContext.

HttpContext.User is set correctly, then lost / replaced by the following request

More articles: