Who sets the IsAuthenticated property of the HttpContext.User.Identity

Question

This code is from the asp.net mvc RTM source code

Who sets the IsAuthenticated property of the HttpContext.User.Identity ?

   protected virtual bool          


        

Answer 1

This property is set by the forms authentication module by reading and parsing the forms authentication cookie from the request. I've put request in bold because I suspect that's the reason why you are observing this behavior. Let me explain. When you call FormsAuthentication.SetAuthCookie upon successful authentication you are adding the authentication cookie to the response. This cookie will be stored on the client browser and will be sent on subsequent requests. So it is only on subsequent requests that the user will be considered as authenticated. So you need to always redirect after calling the SetAuthCookie method. Inside the request that called this method you already know whether the user provided correct credentials so you don't need to check the IsAuthenticated property.

Answer 2

The origin of the property depends on the type of the Identity. For a FormsIdentity, the property just returns true:

/// <devdoc>
///    Indicates whether or not authentication took
///    place.
/// </devdoc> 
public  bool                         IsAuthenticated { get { return true;}}

That makes sense because the code in FormsAuthenticationModule.cs only assignes a FormsIdentity after authentication. The code seems quite complex, I see it extracts a ticket from a cookie, but I can't find where it validates the ticket.