How does WebSecurity.IsAuthenticated check if you're logged in or not?

Question

This is probably a stupid question, but I've looked pretty hard on Google and couldn't come up with the answer.

I'm creating a website where the database is in another continent, so speed is a crucial issue.

From what I understand,

 WebSecurity.Login(form.userName, form.password))

initially checks the database it's initially set up with and logs you in if the username and pw are correct.

Now for every backend function I'm writing, I'm sticking a

[Authorize]

attribute and a

if (WebSecurity.IsAuthenticated)
{ .... }

before performing any action. So does the WebSecurity.IsAuthenticated check the database at all to check if it is logged in or not? I just need to know for speed reasons.

Also is it redundant to put the [Authorize] and WebSecurity.IsAuthenticated in EVERY backend method?

Thanks for any help and opinions

Answer 1

In addition to what @Wiktor Zychla has said, it is useful to note that WebSecurity.IsAuthenticated is functionally identical to Request.IsAuthenticated; to be precise, it's a wrapper:

namespace WebMatrix.WebData
{
    //other class content omitted for brevity
    public static class WebSecurity
    {

        //Context
        internal static HttpContextBase Context
        {
            get { return new HttpContextWrapper(HttpContext.Current); }
        }

        //Request
        internal static HttpRequestBase Request
        {
            get { return Context.Request; }
        }

        //WebSecurity.IsAuthenticated 
        public static bool IsAuthenticated
        {
            get {  return Request.IsAuthenticated; }
        }

    }
}

So if you put all of the above together, WebSecurity.IsAuthenticated is equal to HttpContextWrapper(HttpContext.Current).Request.IsAuthenticated under the hood.

Aside: As correctly stated in the other answers and comments, [Authorize] is used to specify access to controller and action methods:

Specifies that access to a controller or action method is restricted to users who meet the authorization requirement. (source)

So IsAuthenticated works on both action methods and non-action methods, while [Authorize] only works on controllers and action methods, making it indeed redundant to use both on action methods.

Answer 2

So does the WebSecurity.IsAuthenticated check the database at all to check if it is logged in or not?

No, it just checks if the principal object in current request has the authentication flag set to true.

Usually the principal object is set by an authentication module, there are few different modules. Most use cookies to persist the information of the authenticated user (e.g. Forms, SessionAuthentication) and if the cookie is present and it's valid, the module sets the principal for the request which you can get by calling:

HttpContext.Current.User

in any method of your code (assuming the call is made from a web app that sets the HttpContext.Current).

Some authentication modules can rely on other authentication factors, for example the Windows authentication relies on NTLM/Kerberos protocols which in turn rely on specific headers rather than cookies.

Also is it redundant to put the [Authorize] and WebSecurity.IsAuthenticated in EVERY backend method

Yes and no.

What you most probably mean by "every backend method" is you mean a controller/action method in an MVC app. If this is so then, yes, you don't have to repeat both in a controller/action method.

But in any other method in your backend that is not a controller/action, the WebSecurity.IsAuthenticated still works while the Action attribute doesn't.

Thus, if by "every method" you literally mean every possible method, then the answer is no, these two are not redundant. One works always, the other - only in MVC controllers.