[Dev Tip] What fires Application_AuthenticateRequest When?

Putting a breakpoint on Application_AuthenticateRequestwithin VS2010 and examining the Call Stack (ensuring that ‘Show External Code’ is checked in the context menu) shows:

(extraneous info omited for brevity)

So it would appears that the .Net Framework Request Processing Pipeline fires this event – and fires it for every request.

WHEN the event fires depends on whether there are Custom Modules in the pipeline.

Taken from a response on stackoverflow, user bbmud found that:

After the initialization, when the AuthenticateRequest fires, the event handlers are called in the order they where initialized, so:

  • FormsAuthenticationModule.AuthenticateRequest event handler
  • CustomModule.AuthenticateRequest event handler
  • Global.AuthenticateRequest event handler
  • Global.Application_AuthenticateRequest method

The MSDN site has some info on Application_AuthenticateRequest:

The AuthenticateRequest event signals that the configured authentication mechanism has authenticated the current request

So if Windows Authentication is being used, then we must assume that the code to perform this authentication has already been executed and has been successful by the time the Application_AuthenticateRequest fires.

Similarly, if FormsAuthentication is being used, then we must assume that the code to perform this authentication has already been executed and has been successful.

Therefore, at this stage in the request processing pipeline, we should be able to safely assume that there exists an Authentication Ticket in the request (either as a Cookie, in the RequestURL or in the QueryString array) containing the users details.

From this we can create a Principle and assign it to HttpContext.User so that the our application can safely rely on this value to retrieve the information of our authenticated user eg to conduct Authorization checks and see what resources the user can/cannot access.


One thought on “[Dev Tip] What fires Application_AuthenticateRequest When?

  1. This event if fired when the identity of the current user is valid and you want to

    manipulate the ticket created in the AuthenticateUser() method.

    write the user info into a data store…
    The reason why you found it most often is that .NET requires each Application Request to trigger events in the following order:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s