Today I got a case where a user reports that their authentication provider has been called a lot. Actually all the time. Since their authentication provider will connect to a transaction server that costs money for each transaction that is not acceptable. Here is what we found.

Since EPiServer 4.5x you could write your own authentication provider. In most cases you would like your authentication provider to be called the first time a user login on the site, but not all the time. That is why EPiServer by default has a cache authentication provider. After your provider has authenticated the user you need just to add the user to cache. Next time EPiServer will check first time in cache and if the user exists your authentication provider doesn't need to authenticate the user again. In your authentication provider you need to check the e.isHandled property. If it is true then you don't need to do any more. What the cache authentication provider does, is to check the cache if the user exists and check the username and password against the cached object.

In this case the site doesn't use EPiServer login form and they have actually no need of a password field. Their authentication works, but it seems that cache authentication provider is depending on a password. Our solution is in the login code we provide the user a password and now the cache authentication provider is happy.