Either is probably suitable. Application_BeginRequest
fires for EVERY request, where Application_AuthenticateRequest
may only fire for requests that require authentication, accoridng to your Web.config settings.
If you're serving very many requests that don't require authentication, it may be more efficient to do it in Application_AuthenticateRequest
. There's not really a norm here, because you're working outside the system, and the assumption is that whatever you do would be a temporary measure.