U4-11463 - MembershipHelper is not working with basic auth on the initial request

Created by Claus Jensen 21 Jun 2018, 11:13:59 Updated by Sebastiaan Janssen 20 Sep 2018, 07:05:11

This issue started out as a support case where a customer was unable to upgrade their development environment due to the AutoUpgrader failing the initial prechecks of ensuring the site actually renders with a 200 response.

Upon investigating it turns out that when the AutoUpgrader was visiting the site - it would hit a null exception in the front end code which caused the check to fail. This however didn't seem to happen when you just visit the site in your browser - only when the AutoUpgrader was the one visiting.

After a whole lot of debugging I've found that the core of the issue is actually that when the AutoUpgrader is visiting the development site - it authenticates using BasicAuth.

When BasicAuth is used, the initial first request to the website (when you supply BA credentials) will be set as your BA credentials and IsAuthenticated=true. After this initial authentication is done, you are immediately signed out again and any following requests will have a status of IsAuthenticated=false (until you sign in with some other sort of authentication on your frontend site).

Due to this behavior - if you have code using our MembershipHelper.IsAuthorizedMember() it thinks you are authenticated and then tries to get the member from the configured provider. As the initial request is authenticated with BA credentials - these will not work with the configured MembershipProvider and therefore a member will not be resolved. This will result in a null exception happening and the request stops - any following request will do the same and will consequently just keep failing every time.

The moment you do a request that does not hit this exception - you go through the flow of being signed in with BA and signed out again .. and then what you do from there on; such as using the IsAuthorizedMember will not think you are logged in (unless you actually do log in as a member) and therefore the MembershipHelper will also not try to fetch your member.

For this reason - the AutoUpgrader would never be able to hit a site using BA and actually get a 200 OK response, if that site had any code on the front page using IsMemberAuthorized().

To fix this we need to make sure that if a member is not found using the credentials provided - the method simply returns false instead of throwing a null exception, due to just blindly believing that a member can be found when your status is that you are authenticated.


Claus Jensen 21 Jun 2018, 11:16:22

PR: https://github.com/umbraco/Umbraco-CMS/pull/2715

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version:


Story Points: