Loosing roles between two pages ?

I use this in Global.asax for my CSLA based app:

Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As
System.EventArgs) Handles MyBase.AcquireRequestState

     If Not Session("CSLA-Principal") Is Nothing Then
      Thread.CurrentPrincipal = CType(Session("CSLA-Principal"), MyUser)
      HttpContext.Current.User = CType(Session("CSLA-Principal"), MyUser)
    Else
      If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
        Web.Security.FormsAuthentication.SignOut()
        Server.Transfer(Request.ApplicationPath + "/Login.aspx")
      End If
    End If

  End Sub

The code after the Else handles the case where the session died but the user
still has an authenticated cookie!
Can happen many ways - IIS recycles the app, etc.

以上代码每个Request都对当前的Thread进行授权，如果发现Session已经过期，但用户仍然有一个被授权的Cookie,则强迫用户重新登录。
这种事情在很多情况下都会发生....