Geek Answers Handbook

Asp.net: where to put code to redirect users without a session to the main page?

I have a web application with many pages, and most of them require some session variables.

I want to add a security code to my application. where it’s best to put something like:

if (Session.Count == 0){ Response.Redirect("~/default.aspx"); }

EDIT: how to check if the current page is defult.aspx?

+6
c # session
source share
5 answers

Quite difficult, yes, fortunately, this is resolved.

You need to implement Application_PreRequestHandlerExecute in Global.asax

here is the code

  /// <summary> /// The event occurs just after Initialization of Session, and before Page_Init event /// </summary> protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e) { // here it checks if session is reuired, as // .aspx requires session, and session should be available there // .jpg, or .css doesn't require session so session will be null // as .jpg, or .css are also http request in any case // even if you implemented URL Rewritter, or custom IHttp Module if (Context.Handler is IRequiresSessionState || Context.Handler is IReadOnlySessionState) { // here is your actual code // check if session is new one // or any of your logic if (Session.IsNewSession || Session.Count < 1) { // for instance your login page is default.aspx // it should not be redirected if, // if the request is for login page (ie default.aspx) if (!Context.Request.Url.AbsoluteUri.ToLower().Contains("/default.aspx")) { // redirect to your login page Context.Response.Redirect("~/default.aspx"); } } } }

Edit 1: Explanation and conclusion

As one of the guys said, the ASP.NET application life cycle .

There are many events that occur.

In fact, events in Global.asax occur in the following sequence

  • Confirm request // searches only internal mechanism

  • Performing URL Mapping // Looks For Internal Mechanism Only

  • Raise the BeginRequest event.

  • Raise an AuthenticateRequest event.
  • Raise the PostAuthenticateRequest event.
  • Raise an AuthorizeRequest event.
  • Raise the PostAuthorizeRequest event.
  • Raise the ResolveRequestCache event.
  • Raise the PostResolveRequestCache event.
  • Just selects the class that IHttpHandler implemented for the application // only looks for the internal mechanism
  • Raise the PostMapRequestHandler event.
  • Raise the AcquireRequestState event. before raising this event, asp.net loads a session-like state
  • Raise the PostAcquireRequestState event.
  • Raise the PreRequestHandlerExecute event.
  • Call the ProcessRequest Method

Conclusion: All events prior to AcquireRequestState do not have a Session object, because Session is not loaded by ASP.Net, so any event from the * "AcquireRequestState * * event provides a Session object, so this problem is solved. However, some checks are required, as I mentioned in the code above

+15
source share

in Application_BeginRequest Global.asax

to summarize the ideas that we have:

 protected void Application_AcquireRequestState(object sender, EventArgs e) { if ((Session.Count == 0) && !(Request.Url.AbsolutePath.EndsWith("default.aspx", StringComparison.InvariantCultureIgnoreCase))) { Response.Redirect("~/default.aspx"); } }
+1
source share

One method is to have a base page class that performs this check on Page_Init . Another method would be to discard the @K Ivanov idea by placing it in Global.asax . While the session is unavailable during Application_BeginRequest , it must be available in the Application_AcquireRequestState method. For non-standard web requests, this should provide access to the session to accomplish what you want.

+1
source share

Be careful with Session.Count == 0 , because things like Session_ID are implicitly stored in the session.

It is advisable to look for something like (Session["UserName"] == null) , where Session["UserName"] is where you explicitly stored something from the user.

In addition, Global.asax is the best place ( ASP.NET Application Life Cycle ).

ALSO , you need to enter a check that you are not currently on ~ / default.aspx, because otherwise you will have an infinite loop.

+1
source share

Be careful with your approach. I do not think it is a good idea to approve globally if certain session information exists or not. It can become very dirty, very fast. Only certain pages may require special session variables that are different from other pages. Further down the road, you may even have some content that can be accessed safely without any existing session state. Then you will need to start coding the exceptions to your rule ...

What information do you store in these session variables? If you specify that we could offer a better approach.

+1
source share

More articles:


All Articles