Custom Authentication and Basic understanding

Custom authentication allows to write our own module and set page user(httpcontext.user)

Custom Authentication

Problem Scenario

How does custom authentication Work

Little understanding on authentication worker process uses many httpmodules to perform different types of authentications.Correct httpmodule is loaded based on web.config entry. By default there are three httpmodules in machine.config file. Please see the following default entries in machine .config file.


These authentication modules are responsible for creating IPrincipal object and storing it in the HttpContext.User property. This propery is used to take authroization decision.

What all are required to make custom authentication work

step 1: Write our own http module and hook custom handler to AuthenticateRequest event.
step 2: Create an IPrincipal object and store in HttpContext.User property.Createing IPrincipal object is provides developer flexibility to change page user(httpcontext.user) based on business rule.
step 3: Web.config entry for custom httpmodule.

type="namespace.Custom httpmodule Name, type name or assembly name" />

step 4 : write your own httpmodule.

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Security.Principal;

/// Summary description for CustomWindowsAuthentication

public class CustomAuthentication : IHttpModule

private HttpApplication httpApp;

public void Init(HttpApplication httpApp)
this.httpApp = httpApp;
//httpApp.AuthenticateRequest += new EventHandler(OnAuthentication);

void OnAuthentication(object sender, EventArgs a)
string UserName = string.Empty;
HttpContext httpContext = null;

Context = HttpContext.Current;
UserName = Context.User.Identity.Name;
// TODO:
//UserName =
// Write some business logic to authenticate user against your application or what ever else required.

if (!string.IsNullOrEmpty(UserName))
System.Security.Principal.IIdentity customIdentity = new System.Security.Principal.GenericIdentity(UserName);
System.Security.Principal.IPrincipal customPrincipal = new System.Security.Principal.GenericPrincipal(customIdentity, null);
HttpContext.Current.User = customPrincipal;

catch (System.Threading.ThreadAbortException)
// Exception Handling
catch (Exception exp)
// Exception Handling
public void Dispose()
{ }


Related Articles


User who is responsible for running current thread can be impersonated programmatically.

Login code in c#

Code for login form ,user enter username,password this is verified from database and according to that user is logged in or invalid user message is given

Login As different user

It helps in performing action like "login As". different user can loging into system by clicking some link.

More articles: Authentication Authorization Secure Communication ASP.NET Pipeline Processing


No responses found. Be the first to comment...

  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name: