Can you add the users to a specific Visitor Group which has "Make this visitor group available when setting access rights for pages and files" enabled

You can than restrict pages to this Visitor Group 

Here is the code for a Cookie Criteron 

    /// <summary>
    /// Cookie criteria
    /// </summary>
    [VisitorGroupCriterion(Category = "Custom Criteria", Description = "Matches the request to see if it contains a cookie the specified value", DisplayName = "Specific Cookie Value")]
    public class CookieCriterion : CriterionBase<CookieModel>
    {
        /// <summary>
        /// Invoke by runtime to execute criteria match
        /// </summary>
        /// <param name="principal"></param>
        /// <param name="httpContext"></param>
        /// <returns></returns>
        public override bool IsMatch(IPrincipal principal, HttpContext httpContext)
        {
            if (!httpContext.Request.Cookies.ContainsKey(Model.Name))
            {
                return false;
            }

            if (httpContext.Request.Cookies.TryGetValue(Model.Name, out var value))
            {
                return value == Model.Value;
            }

            return false;
        }
    }

    /// <summary>
    /// Cookie criteria model
    /// </summary>
    public class CookieModel : CriterionModelBase
    {
        /// <summary>
        /// Cookie name
        /// </summary>
        public string Name { get; set; }

        /// <summary>
        /// Cookie Value
        /// </summary>
        public string Value { get; set; }

        /// <summary>
        /// Create shallow copy
        /// </summary>
        /// <returns></returns>
        public override ICriterionModel Copy()
        {
            return ShallowCopy();
        }
    }

Thanks Minesh for your input. 

This is also a good suggestion by using VG in Optimizely. 

The issue is the pages (behind login) already have "Authenticated" virtual role assigned to all the pages/subpages which are restricted to logged in user -> 

I could check in cookie authentication claims/identity if user is logged in and then  add it to a current principal, below example is from old solution (asp.net 4.6)

//Code from Global.asax 

if (profile.isValid)
            {
                var identity = new GenericIdentity(profile.Id);
                var roles = new[] { "Everyone", "Authenticated" };
                var principal = new GenericPrincipal(identity, roles);
                httpContext.User = principal;
                PrincipalInfo.CurrentPrincipal = principal;
            }

How can I do same as above in .NET 6 (may be custom middelware)

The other idea could be to use [Authorize] attibute on the controllers which require login., but then I have to add it to all the controllers (app. 20) and by doing this I will also be removing flexibility from CMS editors of restircting pages by using "Authenticated" virtual group.

To programmatically add a user to a role on successful login in Episerver, you can use the Membership.AddUserToRoles method from the System.Web.Security namespace. This method takes two arguments: the username of the user you want to add to the role, and an array of role names to which the user should be added.

Thanks for your input Anawilliam.

The users I am mentioning here are external users and they are authenticated by using our internal API. In our Optimizely solution we would have dedicated selfservice area/ webpages for them

e.g. https://localhost:5001/my/xxx

"my" and all subpages to "my" page would have a "Authenticated" virutal group assigned to them. Everyone virtual group wouldn't give access to these pages.

Now if I add user to a group by using AddUserToRoles() it would be saved in DB while we want to check for every http request that the user has a valid token and assigned role on fly. Is that possible?

I saw someone posted to use Application_AuthenticateRequest method of global.asax but we are moving to .NET6 and global.asax is no more there