private void OnAuthenticateRequest(object sender, EventArgs e) { var context = ((HttpApplication)sender).Context; var cookie = context.Request.Cookies[_configuration.CookieName]; if (cookie != null) { var protector = new CookieProtector(_configuration); try { byte[] data; var cookieData = protector.Validate(cookie.Value, out data); var authenticationCookie = AuthenticationCookie.Deserialize(data); if (!authenticationCookie.IsExpired(_configuration.Timeout)) { context.User = authenticationCookie.GetPrincipal(); RenewCookieIfExpiring(context, protector, authenticationCookie); } } catch { // do not leak any information if an exception was thrown. // simply don't set the context.User property. } finally { if (protector != null) { protector.Dispose(); } } } if (IsLoginPage(context.Request)) { context.SkipAuthorization = true; } }