protected override bool IsAuthorized(HttpActionContext actionContext) { IEnumerable <string> values = new List <string>(); var found = actionContext.Request.Headers.TryGetValues("MY_APP_KEY", out values); if (actionContext.RequestContext.Principal == null || actionContext.RequestContext.Principal.Identity == null) { return(false); } var identity = actionContext.RequestContext.Principal.Identity; var isInternalAuth = identity.AuthenticationType == OAuthDefaults.AuthenticationType; var isAuthenticated = isInternalAuth ? HandleInternalAuthentication(actionContext) : HandleWindowsAuthentication(actionContext); // if user isn't authenticated, he isn't authorized. if (isAuthenticated == false) { return(false); } // if (_configurationService.GetMainConfiguration().ManagementServer.IsUsingSession) { var hasActiveSession = _sessionManagement.HasActiveSession(identity.Name); if (!hasActiveSession) { // For internal users, all authenticated calls must have an active session. // Windows auth, an authenticated user must have an active session // OR must be calling WindowsLogin to create one. if (isInternalAuth || actionContext.ActionDescriptor.ActionName != "WindowsLogin") { return(false); } } _sessionManagement.UpdateUserActivity(identity.Name); } return(true); }