I found the MSDN article, which is perhaps the most useful that I have seen in the sequence and operation of the integrated IIS pipeline , but this raises interesting questions regarding authentication.
Form authentication is displayed as performing very early in the pipeline. The "Execute" handler, for example, for routing ASP.NET MVC and executing a controller, is shown much later. But all too often, the authentication history for ASP.NET MVC looks like this:
public ViewResult Login(LoginModel login) { if (ModelState.IsValid) { if (Membership.ValidateUser(...)){ FormsAuthentication.SetAuthCookie(...); } }
The above code assumes that authentication (forms) occurs during the "Execution" handler stage, and not at the much earlier IIS "Authentication" stage.
Can someone clarify this apparent inconsistency?
My own assumption about this is that the IIS authentication step will execute FormsAuthenticate.Authorize (...) if indicated if no member provider has been configured by me. But if I set up my own membership provider, then the IIS authentication step does nothing efficiently - and waits for the “execute” step so that it can execute my own authentication code.
If my hunch is correct, then if I set up my own membership provider, this means that the IIS “Get Status” phase will also not function properly: it won’t see the session yet, because the session won’t until I completed my stage authentication inside my MVC controller. Or maybe the events of the Authentication and State Acquisition applications will be “delayed” and not raised until my controller executes its authentication code?
Yes? No?
source share