Context.User.Identity.IsAuthenticated always authenticated?

I am trying to create a httphandler which will intercept a sample pdf file which we have in our website. The httphandler works fine from within my development machine and even my locally published website that if I just try to connect to the test url: https://test.com/admin/_/sample_reports/sample.pdf I will get sent to the invalid access page.

So pushing it to our IIS6 machine when I try to go to the URL it serves up the PDF document. context.User.Identity.IsAuthenticated is always showing as true.

I'm using forms authentication. below is the code I am using as the handler.

public void ProcessRequest(HttpContext context)
{
    if (context.User.Identity.IsAuthenticated)
    {
        string SampleURL =开发者_StackOverflow社区 context.Request.AppRelativeCurrentExecutionFilePath;

        context.Response.Buffer = true;
        context.Response.Clear();
        using (FileStream fs = new FileStream(HttpContext.Current.Server.MapPath(SampleURL),FileMode.Open))
        {
            int length = (int)fs.Length;
            byte[] buffer;

            using (BinaryReader br = new BinaryReader(fs))
            {
                buffer = br.ReadBytes(length);
            }

            context.Response.Clear();
            context.Response.Buffer = true;
            context.Response.ContentType = "application/pdf";
            context.Response.BinaryWrite(buffer);
            context.Response.End();
        }
    }
    else
    {
        context.Response.Redirect(
           "~/Error/invalid_access.aspx");
    }}

in web.config I have the following for form authentication:

<authentication mode="Forms">
  <forms name="Sample.Web" loginUrl="~/Security/" defaultUrl="~/default.aspx" protection="All" timeout="60" path="/" requireSSL="false" slidingExpiration="true" enableCrossAppRedirects="false" cookieless="UseDeviceProfile" domain="">
  </forms>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>

Context.User.Identity.IsAuthenticated property is set to true when authentication cookie is still set and is still valid (not expired) for forms authentication.

In the case of Forms authentication, the forms authentication module uses the encrypted authentication ticket contained in the authentication cookie to authenticate the user. Once it has done this, it replaces the GenericIdentity in Context.User.Identity with a FormsIdentity object that returns true from its IsAuthenticated property.

So, your auth cookie is still alive; it may be caused by calling one of those FormsAuthentication methods like RedirectFromLoginPage or SetAuthCookie which are setting the auth cookie; or just by forgotten cookie.

Also it would be better to use HttpRequest.IsAuthenticated instead of Context.User.Identity.IsAuthenticated for your example. It checks whether HttpContext.User and HttpContext.User.Identity is not null and HttpContext.User.Identity.IsAuthenticated property is set to true. In your case when e.g. HttpContext.User is null your code will throw NullReferenceException.

Are you sure that

So pushing it to our IIS6 machine when I try to go to the URL it serves up the PDF document. context.User.Identity.IsAuthenticated is always showing as true.

This .PDF request may have already been processed by IIS 6 static file handler instead of your HTTP handler on IIS 6.

You need to use ProcessRequest

public void ProcessRequest(HttpContext context)
{
    if (!context.User.Identity.IsAuthenticated)
    {
         context.Response.Redirect(
           "~/Error/invalid_access.aspx");
    }

}

EDIT: Might be IIS that is the culprit then, do you have the following set? In IIS, anonymous access is enabled for all applications that use forms authentication

<system.web>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>