MVC5 Where is Principal Read From Cookie?

Question

Where and when is the HttpContext.Current.User read from the HttpContext.Current.Request.Cookies ?

I have started looking at the ASP.NET MVC 5 source code http://aspnetwebstack.codeplex.com/ and couldn't figure out where principal was first set.

Answer 1

I am looking in the wrong spot. Authentication is now using the OWIN middleware. This blog is useful. The source code is in a project called katana. The source code is here. And here is the official asp.net blog post

In short. Owins is new way of processing the http request. The owins request is passed down a pipeline of 'middle ware' which handles the request. The CookieAuthenticationMiddleware from project katana (above) is responsible for decoding the authentication cookie.

Answer 2

If you are using federated authentication, it is the SessionAuthenticationModule that uses its configured CookieHandler to deserialize a cookie into a SessionSecurityToken. It then uses the token to create a ClaimsPrincipal for the user. This ClaimsPrincipal is then used to set to the Thread.CurrentPrincipal and HttpContext.User properties. This process takes place in the AuthenticateRequest and PostAuthenticateRequest steps of the ASP.NET pipeline. Since it is done in the ASP.NET pipeline, I doubt you will find it in the MVC source code.

You can find more info on the SessionAuthenticationModule here on MSDN.

This is a great post on FormsAuth and FedAuth. It explains how all the bits fit together in the ASP.NET pipeline.