asp.net mvc - Extend AuthorizeAttribute Override AuthorizeCore or OnAuthorization

Question

Using ASP.NET MVC I am creating a custom Authorize attribute to take care of some custom authorization logic. I have looked at a lot of examples and it is pretty straight forward but my question is which method is best to override, AuthorizeCore or OnAuthorization? I have seen many examples overriding one or the other. Is there a difference?

Answer 1

The clue is in the return types:

AuthorizeCore returns a boolean - it is decision making code. This should be limited to looking at the user's identity and testing which roles they are in etc. etc. Basically it should answer the question:

Do I want this user to proceed?

It should not perform any additional activities "on the side".

OnAuthorize returns void - this is where you put any functionality that needs to occur at this point. e.g. Write to a log, store some data in session etc etc.