In Chapter 3, the sections on AuthenticateRequest, AuthorizeRequest and EndRequest described how forms authentication works throughout the HTTP pipeline. In summary, forms authentication performs the following tasks:
During AuthenticateRequest, the FormsAuthenticationModule checks the validity of the forms authentication ticket (carried in a cookie or in a cookieless format on the URL) if one exists. If a valid ticket is found, this results in a GenericPrincipal referencing a FormsIdentity as the value for HttpContext.Current.User. The actual information in the ticket is available as an instance of a FormsAuthenticationTicket off of the FormsIdentity.
During AuthorizeRequest, other modules and logic such as the UrlAuthorizationModule attempt to authorize access to the currently requested URL. If an authenticated user was not created earlier by the FormAuthenticationModule, any URL that requires some type of authenticated user will fail authorization. However, even if forms authentication created a user, authorization rules that require roles can still fail unless you have written custom logic to associate a FormsIdentity with a set of roles or used a feature like Role Manager that performs this association automatically.
If authorization fails during AuthorizeRequest, the current request is short-circuited and immediately forwarded to the EndRequest phase of the pipeline. The FormsAuthenticationModule runs during EndRequest and if it detects ...