What is the difference between Application_AuthenticateRequest and FormsAuthentication_OnAuthenticate

Question

I've been experimenting with custom ASP.NET forms authentication and something that confuses me is where to set what roles are associated with a user. Reading various tutorials I've seen suggestions to use either Application_AuthenticateRequest or FormsAuthentication_OnAuthenticate, with the only difference in code being how the userPrincipal is assigned to the User.

Context.User = userPrincipal;

and

e.User = userPrincipal;

Below is the completed method calls for each. Are these functionally equivalent, or is there some difference I should be aware of?

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
        HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie != null)
        {
            FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            string[] roles = authTicket.UserData.Split(';');
            GenericPrincipal userPrincipal = new GenericPrincipal(new GenericIdentity(authTicket.Name), roles);
            Context.User = userPrincipal;
        }
    }


    protected void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
    {
        HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
        if (authCookie != null)
        {
            FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            string[] roles = authTicket.UserData.Split(';');
            GenericPrincipal userPrincipal = new GenericPrincipal(new GenericIdentity(authTicket.Name), roles);
            e.User = userPrincipal;
        }
    }

Answer 1

These seem like they're the same, and likely will produce more or less the same results. But, there is some key differences, and these have to do with the Asp.net pipeline and the order in which various events are called and triggered.

When asp.net initializes, it hooks the FormsAuthentication_OnAuthenticate() handler up to the Application_AuthenticateRequest event. So when AuthenticateRequest is called, it walks through it's chain of handlers and calls them in order.

It just so happens, that the first module asp.net configures for this is FormsAuthentication, which means that the FormsAuthentication_OnAuthenticate() handler will get called first, followed by any custom modules that may also be configured, and finally anything configured in the global.asax.

Basically, it's all about the order things are called in.

So the answer to the question, what is the difference between them.. well, they are two different handlers that are called in different points in the authentication pipeline for the same event.

In most cases, it probably wouldn't matter which one you used, but in some cases it might.. for instance, if you did the job in the FormsAuthentication_OnAuthenticate() method, a later handler in the chain might overwrite what you've done with it's own settings.