AuthenticationAttribute IsAuthenticated false


We are seeing an occasional issue where:

  1. The user logs in and accesses other urls successfully.
  2. After 10 -15 minutes of inactivity, the same request fails with a 401 unauthorized.

We have a Custom AuthenticationAttribute and I have verified that:

  1. All the cookies are included as part of the request and not expired
  2. Also verified that the session.Id matches the ss-id.
  3. When I retrieve the custom session object, only the id field is populated. The other fields that I had updated in OnAuthenticated seem to be nulll/ default values.
  4. However, request.IsAuthenticated is false in this instance.

This is where we save the user details to session OnAuthenticated

Any suggestions as to what are the causes for request.IsAuthenticated to be false?


An empty session means there was no session, so the cookies are not referencing a valid server session. Sessions are stored in the registered caching provider using the session cache key format below:


Thanks for the quick reply.

Am I accessing the session in AuthenticationAttribute correctly?


In the OnAuthenticated code, All I am doing is authService.SaveSession()?
Do I need anything else here?


If you’re calling the base AuthenticateAttribute implementation then res.IsClosed will be true if Authentication failed (with the HTTP Error Response already written to the response).

This lets you resolve the current Session:

var session = req.GetSession();

Sorry, one more thing.

When I make a call to authService.SaveSession, the SessionExpiry parameter is null. At the moment we are using MemCacheClient but moving to REdisCacheClient soon.

Is the null SessionExpiry going to cause issues related to not being able to locate sessions after 10-15 minutes of inactivity?

If it’s null it will use the default Session Timeout, you can ensure all Sessions using the same expiry by overriding OnSaveSession() in your AppHost.

There’s a number of existing posts about this that may provide additional context:

If it’s returning an Empty Session it means there’s no valid session in the registered Cache Client referenced by the session cookies.

Thanks for your help.
I have tried OnSaveSession to explicitly specify a timeout and it is still the same. I am also find some other oddities like this issue happens only when the code is published via the Release Management module. Also, it seems to be happening only for one of the APIs which has two Auth Providers registered - Custom Credentials and a JWT Provider.

Just saw this in the doco and wondered whether having a JWT Provider as well is causing this issue:

Just wanted to check with you - if there is anything other specific areas I could check for debugging this issue.


You shouldn’t be using both a JWT Token and Session Cookies in the same request, but if your request doesn’t include the JWT Token it will use your Session cookies. If you want to convert your Server Session into a JWT Token you can use Convert Session to Token.

Inspect the state of your Session in your Cache provider and ensure that it’s referenced by the Session Cookies and that the Session Cookies do not change in between requests and that the Session in your Cache does not expire/invalidate, if it does find out why.

Thanks Demis.

I followed through the points you mentioned yesterday and it looks like there was an internal error with incorrect dll references that was causing an app error/ restart and it looks like the internal memory cache was being cleared. Once this error was resolved, we no longer see this issue. But it has highlighted the need to switch to Redis Cache.

Thanks for your assistance.

1 Like