Authorize和AllowAnonymous

    [Authorize]

    public class HomeController : Controller

    {

        [AllowAnonymous]

        public ActionResult Login()

        {

            string userName = "admin";

            string password = "123456";

            //1.0 自动生成cookie

            FormsAuthentication.SetAuthCookie(userName, false);



            //2.0 手动生成cookie

            //设置ticket信息

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), false, password);

            //加密

            string strTicket = FormsAuthentication.Encrypt(ticket);

            //生成cookie

            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, strTicket);

            cookie.Expires = ticket.Expiration;

            Response.Cookies.Add(cookie);





            return View();

        }





        public ActionResult SignOut()

        {　　　　　　

　　　　　　　　//if (HttpContext.Request.IsAuthenticated)
　　　　　　　　//{
　　　　　　　　// string name = HttpContext.User.Identity.Name;
　　　　　　　　// var data = ((FormsIdentity)HttpContext.User.Identity).Ticket.UserData;
　　　　　　　　//}

            FormsAuthentication.SignOut();

            return View();

        }

    }

AuthorizeAttribute源码

http://www.cnblogs.com/icyJ/p/MVC_Authorize.html

public virtual void OnAuthorization(AuthorizationContext filterContext)

{

    if (filterContext == null)

    {

        throw new ArgumentNullException("filterContext");

    }



    if (OutputCacheAttribute.IsChildActionCacheActive(filterContext))

    {

        throw new InvalidOperationException(MvcResources.AuthorizeAttribute_CannotUseWithinChildActionCache);

    }



    bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true)

                             || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true);



    if (skipAuthorization)

    {

        return;

    }



    if (AuthorizeCore(filterContext.HttpContext))

    {

        HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;

        cachePolicy.SetProxyMaxAge(new TimeSpan(0));

        cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);

    }

    else

    {

        HandleUnauthorizedRequest(filterContext);

    }

}

自己实现authentication

  public class ActionValidateAttribute:System.Web.Mvc.AuthorizeAttribute

    {

          #region 判断是否登陆和是否有权限

        /// <summary>

        /// 判断是否登陆和是否有权限

        /// </summary>

        /// <param name="filterContext"></param>

        public override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)

        {

            //1.0 获取区域名（全部验证）

            string strArea = filterContext.RouteData.DataTokens.Keys.Contains("area") ?

                filterContext.RouteData.DataTokens["area"].ToString().ToLower() : null;



            string strController=filterContext.ActionDescriptor.ControllerDescriptor.ControllerName.ToLower();

            string strAction=filterContext.ActionDescriptor.ActionName.ToLower();

            

            //1.1 需要验证区域的集合.根据情况而定，目前我们没有分区域，所以是全部验证          

            //1.2 判断请求路由是否包含在以上集合中           

            //2.0 判断是否包含skip特性(正常情况下登陆、登出skip)

            if(!DoesSkip<MyAuthentication.Attributes.SkipAttribute>(filterContext))

            {

                //3.0 如果不跳过判断是否登陆状态

                bool islogin = OperateContext.Current.IsLogin();

                //3.1 如果没有登陆重定向到登陆页面

                if (!islogin)

                { filterContext.Result = OperateContext.Current.Redirect("/home/login", filterContext.ActionDescriptor); }

                

                ////4.0 已经登陆了，判断是否有权限

                //bool hasPermission=OperateContext.Current.HasPermission(strArea,strController,strAction);

                ////4.1 如果没有权限，重定向到登陆页面

                //if(!hasPermission)

                //{ filterContext.Result = OperateContext.Current.Redirect("/home/login", filterContext.ActionDescriptor); }          

            }

            //base.OnAuthorization(filterContext);

        } 

        #endregion



        #region 判断是否有skip特性+DoesSkip<T>(System.Web.Mvc.AuthorizationContext filterContext)

        /// <summary>

        /// 判断是否包含指定的特性

        /// </summary>

        /// <typeparam name="T"></typeparam>

        /// <param name="filterContext"></param>

        /// <returns></returns>

        protected bool DoesSkip<T>(System.Web.Mvc.AuthorizationContext filterContext) where T : Attribute

        {

            if (!filterContext.ActionDescriptor.IsDefined(typeof(T), false) &&

                !filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(T), false))

            {

                return false;

            }

            return true;

        } 

        #endregion

    }

 public class SkipAttribute:Attribute

    {

    }