HttpContext.User is getting set correctly, then is lost/replaced by next request

Question

I have implemented a custom AuthCheckAttribute and used it globally in my application.

I have verified that control flow is correct and the AllowAnonymousAttribute is being respected properly.

In my Login action handler I set the current User as follows:

//This user is an NHibernate entity representing a user of the
//app. AuthUser takes the Identity.Name from here.
HttpContext.User = AuthUser.CreateAuthUser(user);

If the username:password combination is valid, AuthUser.CreateAuthUser() returns an IPrincipal with an IIdentity that returns true for IsAuthenticated.

After having set this, the Login action handler redirects to the page the user was originally going to, and now in AuthCheckAttribute.OnAuthentication() method, context.HttpContext.User is set to an instance of System.Security.Principal.WindowsPrincipal (and IsAuthenticated returns false) and not to AuthUser as I set in my Login handler.

What am I doing wrong? The problem seems to be that the User I set in Login action handler is lost/replaced by the time execution reaches AuthCheckAttribute.OnAuthentication() again.

I have a classes AuthUser : IPrincipal and AuthIdentity : IIdentity. A call to AuthUser.CreateAuthUser(user) instantiates the AuthUser and AuthIdentity classes correctly, so no issues there.

Configuration: MVC5, .Net 4.5

Answer 1

Session is not necessary. You can store an HTTP only cookie in the browser with the encrypted user id. In your filter, check for this cookie and use the stored user id to reload your user and set it in the HttpContext.