How is User.Identity.IsAuthenticated Checked?

Fouad S 20 Reputation points

Hi - I noticed that when the session has ended on our website (.NET Framework 4.6.2 using Azure B2C), User.Identity.IsAuthenticated returns false even though the user has asked to stay signed in. However, when we call Challenge for user login, the user is quickly logged in without having to enter their credentials again. So the keep me signed in functionality is working when you challenge the user to the login page as they don't have to re-enter their credentials. My query is why is User.Identity.IsAuthenticated is false on Session_Start despite the user selecting to be kept signed in.

Below is some pseudo code of how we have it structured in the Session__Start method. Additionally, we do have an event ("OnSecurityTokenValidated") in the Startup class where we handle the process of checking whether the user has been asked to be kept signed in and then persist the authentication property like so:

Overall we have got it to work but could anyone explain how this works and why User.Identity.IsAuthenticated set to false initially? Thank you!

Startup - OnSecurityTokenValidated Example below

Global.asax.cs - Session Start Method

// This bit seems to be false on session start despite 
// the user being asked to be kept signed in.
if (User.Identity.IsAuthenticated)
        // Do some cool stuff here
        // fetch the cookie value
        var keepMeSignedIn = // fetch cookie method;
        bool keepUserSignedIn = false;

        if (!string.IsNullOrEmpty(keepMeSignedIn))
            bool.TryParse(kmsiCookie, out keepUserSignedIn);

        var azureAdB2CChallengedFlag = HttpContext.Current.Session[AppConstants.AZURE_AD_B2C_CHALLENGED_FLAG];

        if (azureAdB2CChallengedFlag == null && keepUserSignedIn)
            HttpContext.Current.Session[AppConstants.AZURE_AD_B2C_CHALLENGED_FLAG] = true;

                new AuthenticationProperties
                    RedirectUri = AppConstants.ACCOUNT_LOGIN_PAGE_PATH_URL
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,180 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,926 Reputation points Microsoft Employee

    Hi @Fouad S ,

    Thanks for reaching out.

    It is expected that User.Identity.IsAuthenticated is false on session_start because the user has not yet been authenticated. When the user logs in, the authentication cookie is created and sent to the browser. The browser then sends the cookie with each subsequent request, allowing the server to identify the user and set User.Identity.IsAuthenticated to true.

    When you call Challenge for user login, the ASP.NET Framework checks for the authentication cookie and sets the User.Identity property to the authenticated user if the cookie is present. Since the authentication cookie is still valid, the user is logged in without having to enter their credentials again and then set this property to true.

    Hope this will help.



    0 comments No comments