有关我的情况***的解决办法似乎是绕过基地的 OnAuthorization 完全。因为我有验证每次饼干和缓存的原则，是没有多大用处。因此，这里是我想出了解决办法：

The best solution for my scenario appears to be bypass the base OnAuthorization completely. Since I have to authenticate each time cookies and caching the principle are not of much use. So here is the solution I came up with:

 public override void OnAuthorization(HttpActionContext actionContext)
 {

     string username;
     string password;
     if (GetUserNameAndPassword(actionContext, out username, out password))
     {
         if (Membership.ValidateUser(username, password))
         {
             if (!isUserAuthorized(username))
                 actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
         }
         else
         {
             actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
         }
     }
     else
     {
         actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
     }
 }

我开发我自己的方法来验证名为 isUserAuthorized ，我不使用基本的 OnAuthorization 任何更多，因为它会检查当前的原理角色>看它是否 isAuthenticated 。 IsAuthenticated 只允许得到，因此我不知道怎么回事，设置它，我似乎并不需要电流原理。测试了这一点，它工作正常。

I developed my own method for validating the roles called isUserAuthorized and I am not using the base OnAuthorization any more since it checks the current Principle to see if it isAuthenticated. IsAuthenticated only allows gets so I am not sure how else to set it, and I do not seem to need the current Principle. Tested this out and it works fine.

如果任何人有一个更好的解决方案，也可以看到与此这一项的任何问题仍感兴趣。

Still interested if anyone has a better solution or can see any issues with this this one.