I created a brand new ASP.NET MVC 5 project to test the [Authorize] attribute with FormsAuthentication.SetAuthCookie. I simply set a cookie in one action (in my Home controller):

    public ActionResult About()
    {
        FormsAuthentication.SetAuthCookie("someUser", false);

And I limit access to another:

    [Authorize]
    public ActionResult Contact()
    {

When I launch my web page and navigate to /home/contact, I am correctly redirected to a login page. Then I go to /home/about, get my cookie, and go back to the contact page. But I'm still redirected to the login page -- the cookie does not authenticate/authorize me.

In the debugger, HttpContext.User.Identity.IsAuthenticated == false when I load the About page multiple times (that is to say, it never sees me as being authenticated even after setting an auth cookie).

Is there some extra step that must be done here? I shouldn't need to set my own IPrincipal for basic authentication, should I?

from web.config remove:

<modules>
  <!--<remove name="FormsAuthenticationModule" />-->
</modules>

or simples remove the line in web.config

EDIT: I did not know MVC5 defaulted new projects to having Forms Authentication removed (the module is removed) so make sure you also check DSR's comment under your originial post in conjuncture with all of this.

Check your web.config and look for the authentication section, it should look something like this,

<authentication mode="Forms">
  <forms loginUrl="..." cookieless="UseCookies" />
</authentication>

http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.85%29.aspx

The default cookieless value is "UseDeviceProfile" which means that cookies are used if the browser reports that it supports cookies, otherwise cookies are not used and it uses values in the querystring to maintain an authenticated state (which need to be retained accross postbacks).

Secondly, make sure cookies are on in your browser. If the device/browser does not support cookies or they are turned off then SetAuthCookie will make changes to the url, but you have to redirect the browser after the call to SetAuthCookie using...

FormsAuthentication.RedirectFromLoginPage(String, Boolean)...

That method redirects the page to it's destination after authentication with SetAuthCookie. RedirectFromLoginPage will put the required attributes in the url query to maintain the login session accross postbacks. If you do your own redirects on the site here and there you will need to maintain that url query parameter accross postbacks your self by checking if the current user is authenticated with HttpContext.Current.User.Identity.IsAuthenticated.

In order to send your users to the login page you should be using

FormsAuthentication.RedirectToLoginPage()

That method will add a returnUrl parameter to the query string, which the later function "RedirectFromLoginPage" will redirect back to after being authenticated.

If you block access to users or roles with location elements in your web.config to paths and resources Forms Authentication handles the redirection to the login page automatically when an un-authenticated user attempts to access them.

  <location path="SomeFolderOnYourSite">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow roles="Administrators"/>
      </authorization>
    </system.web>
  </location>

 <location path="SomeFolderOnYourSite">
<system.web>
  <authorization>
    <deny users="?"/>
    <allow roles="Administrators"/>
  </authorization>
</system.web>

is like it's not working for me when am using same code with small change it's working **<location path="~/SomeFolderOnYourSite"> <system.web> <authorization> <deny users="?"/> <allow roles="Administrators"/> </authorization> </system.web> </location>**

Commenting these lines in the file web.config, with FrameWork 4.5.2 worked for me. I use the active directory for login.

Specifying wrong value for domain attribute of forms tag can cause this too.

<authentication mode="Forms">
  <forms domain="localhost" ... />
</authentication>