protected override bool AuthorizeCore(HttpContextBase httpContext) { var isAuthenticated = base.AuthorizeCore(httpContext); if (!isAuthenticated) { var request = httpContext.Request; string token = null; if (!FormKey.IsNullOrEmpty()) { token = httpContext.Request[FormKey].TrimToNull(); } if (token == null) { string method = request.HttpMethod ?? ""; if (!ActionArgument.IsNullOrEmpty() && (method.Equals("POST", StringComparison.InvariantCultureIgnoreCase) || method.Equals("PUT", StringComparison.InvariantCultureIgnoreCase)) && (request.ContentType ?? string.Empty).Contains("application/json")) { if (httpContext.Request.InputStream.CanSeek) { httpContext.Request.InputStream.Seek(0, SeekOrigin.Begin); } using (var sr = new StreamReader(httpContext.Request.InputStream, httpContext.Request.ContentEncoding, true, 4096, true)) { var js = JsonSerializer.Create(JsonSettings.Tolerant); using (var jr = new JsonTextReader(sr)) { var obj = js.Deserialize <RequestWithToken>(jr); token = obj.AuthenticationToken.TrimToNull(); } } } } if (token != null) { var ticket = FormsAuthentication.Decrypt(token); if (!ticket.Expired) { var principal = new GenericPrincipal(new GenericIdentity(ticket.Name), new string[] { }); httpContext.User = principal; isAuthenticated = true; } } } return(isAuthenticated); }