U4-6496 - "Umbraco.Web.UmbracoContext.Current.Security.CurrentUser" returns "null" for front-end requests

Created by Flavio Spezi 03 Apr 2015, 13:08:30 Updated by Shannon Deminick 05 Sep 2016, 06:20:27

I thnk that in Umbraco 7.2.4 there is a problem.

I used Umbraco.Web.UmbracoContext.Current.Security.CurrentUser to obtain current backoffice user. It was works in some previous Umbraco versions. But it does not works in "Umbraco 7.2.4".

To try it:

  • Go to "/umbraco", then login with a User.
  • Return to frontend website, and open a page with this content: <div>@(Umbraco.Web.UmbracoContext.Current.Security.CurrentUser == null ? "is null" : "is right")</div>

The result must be "

is right
" but the page returns "
is null


Shola 03 Apr 2015, 18:22:08

I ran into this as well. I had to start using the auth ticket instead, ever since around 7.2.2:

var auth = new HttpContextWrapper(HttpContext.Current).GetUmbracoAuthTicket(); if (auth != null) { var curruser = ApplicationContext.Services.UserService.GetByUsername(auth.Name); ...

You can see here for more details: http://issues.umbraco.org/issue/U4-6342

Flavio Spezi 04 Apr 2015, 07:35:30

Thanks @oooshola, it works fine. Than is Security.CurrentUser deprecated method?

Shola 06 Apr 2015, 15:22:20

Maybe. I suppose Security.CurrentUser is now only supposed to be used in the backoffice code, not in frontend razor code. However, all this may change when .net Identity is implemented, as stated in the thread here http://issues.umbraco.org/issue/U4-6342

Shannon Deminick 01 May 2015, 00:22:10

The 'issue' is that you are trying to determine the logged in 'back office' user for a 'front-end' page. No Security.CurrentUser is not deprecated. It is for use within back office pages.

If you for some reason are integrating the back office user with your front-end pages, you're going to need to do that manually like Shola has done.

In order to set a current user, the authentication needs to executed, this is done before any routing takes place, almost as soon as the request comes in. We need to auth either front-end or back-office, we cannot auth both because there is only a single 'User' object in a request, that is the nature of ASP.Net. So for a front-end request, we do not auth for back office user's, thus the Security.CurrentUser is null because it is a front-end request.

The auth mechanism has changed a little bit in recent versions to make auth happen consistently and correctly (and also to improve performance). Before (when this 'worked') there was actually a bug that would change the current culture set for the request to be the back office user's instead of the front-end members which would of course cause problems... it should have never really worked in the first place and had issues associated with that.

Murray Roke 18 Aug 2015, 01:55:20

If I need to determine the back-office user (or just if they're logged in) on a front-end page what is the recommended way?

currently I'm using:


Kevin Giszewski 25 Nov 2015, 15:40:27

@oooshola Thanks, needed this workaround. #h5yr

Shola 25 Nov 2015, 17:28:33

@kgiszewski https://www.youtube.com/watch?v=blTGvpO1dYw <--I can't believe I managed to find that. On a more serious note, this workaround was crucial for me when building a front-end "admin bar." If you're doing something like that, then the caveat with this workaround is if you're using output caching. You'd have to write some custom caching code to ensure the front end is varying by user.

Priority: Normal

Type: Bug

State: Workaround posted


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.2.4, 7.2.8, 7.3.4

Due in version:


Story Points: