ValidatePrincipal in CookieAuthenticationHandler not being called on some requests #1602
Description
The result of this bug is that once in a while in a multi-user scenerio, the wrong user appears in httpcontext.User. Investigating the issue, I registered a custom function for OnValidatePrincipal event and discovered that it is not being called for the problematic requests. This line not being called:
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs#L161
I registered a custom middleware after .UseAuthentication and I see those requests in my middleware even though they do not trigger the OnValidatePrincipal event.
I am now investigating further to see why OnValidatePrincipal is not called.
Anybody got any idea?
This is the code flow:
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/AuthenticationMiddleware.cs#L54
https://github.com/aspnet/HttpAbstractions/blob/dev/src/Microsoft.AspNetCore.Authentication.Abstractions/AuthenticationHttpContextExtensions.cs#L31
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication/AuthenticationHandler.cs#L124
https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs#L154
ValidatePrincipal: https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authentication.Cookies/Events/CookieAuthenticationEvents.cs#L114