6

I have a web app with loads of pages and most of them require some session variables in order to function.

i want to put some defensive code in my app. where is the best place to put somethign like:

if (Session.Count == 0){
                Response.Redirect("~/default.aspx");
}

EDIT: how do i check if the current page is defult.aspx?

kacalapy
  • 9,806
  • 20
  • 74
  • 119

5 Answers5

18

Quite difficult, yeah fortunately it is solved.

You need to implement Application_PreRequestHandlerExecute in Global.asax

here is the code

    /// <summary>
    /// The event occurs just after Initialization of Session, and before Page_Init event
    /// </summary>
    protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
    {
        // here it checks if session is reuired, as
        // .aspx requires session, and session should be available there
        // .jpg, or .css doesn't require session so session will be null
        // as .jpg, or .css are also http request in any case
        // even if you implemented URL Rewritter, or custom IHttp Module
        if (Context.Handler is IRequiresSessionState
               || Context.Handler is IReadOnlySessionState)
        {
            // here is your actual code
            // check if session is new one
            // or any of your logic
            if (Session.IsNewSession
                || Session.Count < 1)
            {
                // for instance your login page is default.aspx
                // it should not be redirected if,
                // if the request is for login page (i.e. default.aspx)
                if (!Context.Request.Url.AbsoluteUri.ToLower().Contains("/default.aspx"))
                {
                    // redirect to your login page
                    Context.Response.Redirect("~/default.aspx");
                }
            }
        }
    }

Edit 1: Explanation & Conclusion

As one of the guys told about ASP.NET Application Life Cycle.

There are plenty of events that occurs.

Actually events in Global.asax raises in the following sequence

  1. Validate Request // looks just internal mechanism

  2. Perform URL Maping // looks just internal mechanism

  3. Raise the BeginRequest event.

  4. Raise the AuthenticateRequest event.
  5. Raise the PostAuthenticateRequest event.
  6. Raise the AuthorizeRequest event.
  7. Raise the PostAuthorizeRequest event.
  8. Raise the ResolveRequestCache event.
  9. Raise the PostResolveRequestCache event.
  10. Just selects a class who implemented IHttpHandler for the application // looks just internal mechanism
  11. Raise the PostMapRequestHandler event.
  12. Raise the AcquireRequestState event. just before raising this event asp.net loads the State like Session
  13. Raise the PostAcquireRequestState event.
  14. Raise the PreRequestHandlerExecute event.
  15. Call the ProcessRequest method

Conclusion: All the events before AcquireRequestState event don't have Session object, because Session is not loaded by ASP.Net, so any event from *"AcquireRequestState** event gives Session object therefore this problem solves. However some checks are required as I mentioned in above code

Waqas Raja
  • 10,802
  • 4
  • 33
  • 38
1

in the Application_BeginRequest of the Global.asax

so to summaries the ideas we have:

protected void Application_AcquireRequestState(object sender, EventArgs e)
{
    if ((Session.Count == 0) &&
       !(Request.Url.AbsolutePath.EndsWith("default.aspx",
         StringComparison.InvariantCultureIgnoreCase)))
    {
        Response.Redirect("~/default.aspx");
    }
}
Kris Ivanov
  • 10,476
  • 1
  • 24
  • 35
1

One method would be to have a Page baseclass that performs this check on Page_Init. Another method would be to piggy-back off of @K Ivanov's idea with putting it in the Global.asax. While Session is not available during Application_BeginRequest it should be available in the method Application_AcquireRequestState. For not standard web requests, this should provide access to the session to perform what you want.

Joel Etherton
  • 37,325
  • 10
  • 89
  • 104
  • I like the base page technique because it is then easy to have it on for some pages and off for others if you so choose. I am personally of the opinion that having it in the global.asax is a bit of a blunt solution unless you really really want to only let one page get hit without session content. – Chris Feb 04 '11 at 15:49
  • @Chris - base page is my preferred method as well. I've used it often to achieve similar effects to this. – Joel Etherton Feb 04 '11 at 15:53
1

Be careful with Session.Count == 0, because things like Session_ID are, implicitly, stored in the session.

Preferably look for something like (Session["UserName"] == null), where Session["UserName"] is where you, explicitly, store something of the user.

Other than that, Global.asax is the best place (ASP.NET Application Life Cycle).

ALSO, you have to enter a check that you are not currently on ~/default.aspx, because otherwise you will have an infinite loop.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Theofanis Pantelides
  • 4,724
  • 7
  • 29
  • 49
1

Be careful with your approach. I don't think it is a good idea to validate globally if certain Session information exists or not. It can get become very messy, very fast. Only certain pages might require specific Session variables, which differ from other pages. Further down the road you might even have some content which can be safely accessed without any existing Session state. Then you will have to start coding exceptions to your rule...

What type of information are you storing in these Session variables? If you elaborate further we could maybe come up with a better approach.

santiagoIT
  • 9,411
  • 6
  • 46
  • 57