WebForms Forms Authentication: Request.IsAuthenticated=false after successful log in and redirect

问题

I'm having a real bad WebForms day today!

I have a mature WebForms web application using Forms Authentication. For some unknown reason my application has started to show Request.IsAuthenticated (on the Application_BeginRequest function in Global.asax) despite going to the login page, logging in successfully and calling FormsAuthentication.RedirectFromLoginPage().

I just can't work out what is going wrong. Here are the checks that I have done. I am hoping someone might point out something I've not checked here:

1. The authentication section of web.config is as follows:

   <authentication mode="Forms">
       <forms loginUrl="~/Login" timeout="120" cookieless="UseCookies" defaultUrl="~/ExitPoint.aspx?Page=Home" />
   </authentication>
   

2. The authorization section of web.config is as follows:

   <authorization>
       <deny users="?" />
       <allow users="*" />
   </authorization>
   

3. For pages such as Login/Logout I have:

   <location path="Login">
       <system.web>
           <authorization>
               <allow users="*" />
           </authorization>
       </system.web>
   </location>
   

4. When logging in, I have breakpointed and stepped through the authentication process. This finishes off with:

   FormsAuthentication.RedirectFromLoginPage(userID, createPersistentCookie: true); 
   // Includes call to SetAuthCookie()
   

where userID is a string value of "768".

5. An encrypted session cookie appears in my browser on the next request:

   Name=.ASPXAUTH
   Value=FFC592.....
   Expires=2016-05-16T15:41:58.817Z (basically "now"+1 hour)
   Path=/
   Domain=localhost
   HTTP=Yes
   Secure=(blank i.e. No)
   

6. Logging the Request.IsAuthenticated value in Global.asax Application_BeginRequest() method is outputting "False" (bool)

What else do I need to check to see what might be going amiss? THanks

回答1:

I think that is exactly what is to be expected. In the webforms request pipeline, the AuthenticateRequest event is raised after the BeginRequest event, so it makes sense that the request is not yet authenticated in the BeginRequest event.

See (for instance) here for a description of the pipeline. Or just Google for asp net webforms request pipeline and you will find plenty of links...

Partial copy from the page I linked to:

1. Validate the request, which examines the information sent by the browser and determines whether it contains potentially malicious markup. For more information, see ValidateRequest and Script Exploits Overview.
2. Perform URL mapping, if any URLs have been configured in the UrlMappingsSection section of the Web.config file.
3. Raise the BeginRequest event.
4. Raise the AuthenticateRequest event.
5. Raise the PostAuthenticateRequest event.
6. Raise the AuthorizeRequest event.
7. Raise the PostAuthorizeRequest event.
8. ...

来源：https://stackoverflow.com/questions/37255713/webforms-forms-authentication-request-isauthenticated-false-after-successful-lo