private void OnAuthenticateRequest(object sender, EventArgs e)
{
var context = ((HttpApplication)sender).Context;
var cookie = context.Request.Cookies[_configuration.CookieName];
if (cookie != null)
{
var protector = new CookieProtector(_configuration);
try
{
byte[] data;
var cookieData = protector.Validate(cookie.Value, out data);
var authenticationCookie = AuthenticationCookie.Deserialize(data);
if (!authenticationCookie.IsExpired(_configuration.Timeout))
{
context.User = authenticationCookie.GetPrincipal();
RenewCookieIfExpiring(context, protector, authenticationCookie);
}
}
catch
{
// do not leak any information if an exception was thrown.
// simply don't set the context.User property.
}
finally
{
if (protector != null)
{
protector.Dispose();
}
}
}
if (IsLoginPage(context.Request))
{
context.SkipAuthorization = true;
}
}