Why should I set request principal (custom IPrincipal) in AuthenticateRequest only?
I mean what is wrong if I'll set it at a later stage (for example in AcquireRequestState where a Session is already available)?
The reason for this question is that I wanted to store the current user in the Session instead of cookie, but the session is available only in/after AcquireRequestState event.
Why is it wrong to do it there?
View Complete Post