public override void Process(HttpRequestArgs args) { Assert.ArgumentNotNull(args, "args"); var sitecoreUserLoggedIn = Context.IsLoggedIn; string key = String.Empty; ClaimsPrincipal federatedUser = null; key = IdentityHelper.GetAuthTokenFromCookie(); // only check if domain is not equal to the sitecore domain // TODO: can be removed if we are logging in with claims as well for editors if (!Context.Domain.Name.Equals("sitecore")) { federatedUser = IdentityHelper.GetCurrentClaimsPrincipal() as ClaimsPrincipal; // algorithm: // 1 - if user is not logged in AND claimscookie is missing, return: anonymous visit -> handle in pipeline // 2 - if only claimscookie is available, delete this cookie -> handled by owin // 3 - if only ID in Database is available (not possible to check) -> handled by timer // 4 - if cookie, fedID and no sitecore ID is available -> redirect to login page, handled by sitecore // 5 - if only .ASPXAUTH cookiue is available (Context.IsLoggedIn) -> logout and redirect -> pipeline // 6 - if claimscookie, no fed ID and sitecore login is availalbe: logout and redirect -> pipeline // 7- if no claimscookie, no fed ID and sitecore login available: logout and redirect -> pipeline. // handled by // 1 - anonymous if (!Context.IsLoggedIn && String.IsNullOrEmpty(key)) { return; } // 5 & 7 - pipeline if user is logged in else if (Context.IsLoggedIn && String.IsNullOrEmpty(key)) { LogoutAndRedirectToLogoutPage(); } // 6 - pipeline else if (!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser == null) { LogoutAndRedirectToLogoutPage(); } // 8 all identities available // check if identity matches. // if not: redirect. Otherwise: return else if (!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser != null) { var user = Context.User; // compare identities // if not equal, , there is a cookie mismatch: // remove tokens, // logout sitecore user and // redirect to loginpage. if (!user.Name.Equals(String.Format("{0}\\{1}", Context.Domain.Name, federatedUser.Identity.Name))) { LogoutAndRedirectToLogoutPage(); } } // several options: // Callback from the federated Identity provider, or an unexpected situation else { // Callback from the identity provider // entry from /login, auth context if (HttpContext.Current.Request.Url.PathAndQuery.StartsWith("/login", StringComparison.InvariantCultureIgnoreCase)) { return; } // For all other situations: //Log to database for other situation LogoutAndRedirectToLogoutPage(); } } }