<% @ import namespace=System.Security.Principal %> <% @ import namespace=System.Security %> <script language=c# runat=server> protectedvoid Application_AuthenticateRequest(Object sender, EventArgs e) { // Extract the forms authentication cookie(还原加密的票据) string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if(null== authCookie) { // There is no authentication cookie. return; } FormsAuthenticationTicket authTicket =null; try { authTicket = FormsAuthentication.Decrypt(authCookie.Value); } catch(Exception ex) { // Log exception details (omitted for simplicity) return; } if (null== authTicket) { // Cookie failed to decrypt. return; } // When the ticket was created, the UserData property was assigned a // pipe delimited string of role names.(票据已经还原,提取票据的UserData即为验证用户的role) string[] roles = authTicket.UserData.Split(newchar[]{'|'}); // Create an Identity object FormsIdentity id =new FormsIdentity( authTicket ); // This principal will flow throughout the request. GenericPrincipal principal =new GenericPrincipal(id, roles); // Attach the new principal object to the current HttpContext object Context.User = principal; //这几句话我还没有真正理解,希望以后能从本质上看透验证过程. } </script>