ASP.Net: HttpModules

An HTTP module is code that gets called for every request or response routed to your application. This code is registered with the server and can subscribe to events within the request-and-response pipeline. You can write HTTP modules to manage custom security levels, do custom logging, or execute similar tasks.
At the most fundamental level, ASP.Net HTTP Modules are classes which implement the System.Web.IHttpModule interface.


public interface IHttpModule
{       void Dispose();       void Init(HttpApplication context);


using System;
using System.Web;
using System.Diagnostics;
public class LoggingModule: IHttpModule
{
      public LoggingModule()
     {
      }

     public String ModuleName
     {
         get { return "LoggingModule"; }
      }

       public void Dispose() { }

       public void Init(HttpApplication context)
       {
           context.BeginRequest += (new EventHandler(this.Application_BeginRequest));
           context.EndRequest += (new EventHandler(this.Application_EndRequest));
       }

       private void Application_BeginRequest(Object source, EventArgs e)
       {
              HttpApplication application = (HttpApplication)source;
              HttpContext context = application.Context;
              
              if (VirtualPathUtility.GetExtension(context.Request.FilePath) == ".aspx")
              {
                 EventLog eLog = new EventLog();
                 eLog.Source = "Applicaiton";
                 eLog.WriteEntry("Begin .aspx request :: " +
                 DateTime.Now.ToLongDateString() + " :: " +
                 context.Server.MachineName,
                 EventLogEntryType.Information);
              }
         }

         private void Application_EndRequest(Object source, EventArgs e)
         {
              HttpApplication application = (HttpApplication)source;
              HttpContext context = application.Context;
              
              if (VirtualPathUtility.GetExtension(context.Request.FilePath) == ".aspx")
              {
                    EventLog eLog = new EventLog();
                    eLog.Source = "Applicaiton";
                    eLog.WriteEntry("End .aspx request :: " +
                     DateTime.Now.ToLongDateString() + " :: " +
                    context.Server.MachineName,
                     EventLogEntryType.Information);
              }
           }



Registering the Handler by Using Web.config

In IIS 6
<configuration>
  <system.Web>
    <httpModules>
      <add name="LoggingModule" type="LoggingModule" />
    </httpModules>
  </system.Web>
</configuration> 
 
In IIS 7
<configuration>
  <system.WebServer>
    <modules>
      <add name="LoggingModule" type="LoggingModule" />
    </modules>
  </system.WebServer>
</configuration>

The following list shows the key events exposed by the HttpApplication object.


Event                                                      When It's Called
BeginRequest                                  Before request processing starts
AuthenticateRequest                        To authenticate client
AuthorizeRequest                             To perform access check
ResolveRequestCache                       To get response from cache
AcquireRequestState                        To load session state
PreRequestHandlerExecute                 Before request sent to handler
PostRequestHandlerExecute               After request sent to handler
ReleaseRequestState                        To store session state
UpdateRequestCache                        To update response cache
EndRequest                                     After processing ends
PreSendRequestHeaders                    Before buffered response headers sent
PreSendRequestContent                    Before buffered response body sent


One of the most common operations when intercepting an HTTP request is to terminate the request. This is very common in custom authentication modules added to ASP.NET. In this case, the HttpApplication class has a method called CompleteRequest that is called for finishing the request. Calling CompleteRequest with the appropriate status codes can terminate the request.

ASP.NET HTTP Modules can be used to further extend the HTTP pipeline. Many of the services provided by the runtime are indeed implemented as HTTP modules. Common uses for creating custom modules include custom authentication and authorization schemes, in addition to any other filtering services that your application needs.

Comments

Post a Comment

Popular posts from this blog

Data Bound Controls in ASP.Net - Part 4 (FormView and DetailsView controls)

FormView The FormView control is used to display a single record from a data source. It is similar to the DetailsView control, except it displays user-defined templates instead of row fields. Creating your own templates gives you greater flexibility in controlling how the data is displayed. The FormView control supports the following features: ·          Binding to data source controls, such as SqlDataSource and ObjectDataSource. ·          Built-in inserting, updating and deleting capabilities. ·          Built-in paging capabilities. ·          Programmatic access to the FormView object model to dynamically set properties, handle events, and so on. ·          Customizable appearance through user-defined templates, themes, and styles. Templates For the FormView control ...
Read more

JavaScript - ES2015 (aka ES6)

The ES2015 Since this long time passed between ES5.1 and ES6, the release is full of important new features and major changes in suggested best practices in developing JavaScript programs. To understand how fundamental ES2015 is, just keep in mind that with this version, the specification document went from 250 pages to ~600. In this blog, we describe the most important changes. Arrow Functions A new  this   scope Promises Generators let   and  const Classes Constructor Super Getters and setters Modules Importing modules Exporting modules Template Literals Default parameters The spread operator Destructuring assignments Enhanced Object Literals Simpler syntax to include variables Prototype super() Dynamic properties For-of loop Map and Set New String methods New Object methods Arrow functions Arrow functions since their introduction changed how most JavaScript code looks (and works). Visually, it’s a simple and welcome ...
Read more

The Clickjacking attack and X-Frame-Options

Clickjacking  Clickjacking is a type of “web framing” or “UI redressing” attack. What that simply means in practice is that: 1. A user (victim) is shown an innocuous, but enticing web page (think watch online video) 2. Another web page (that generally does something important – think add friends on social network) is layered on top of the first page and set to be transparent 3. When the user thinks they are clicking on the web page they see (video), they are actually clicking on the higher layered (framed) page that is transparent There are two main ways to prevent clickjacking: 1.     Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains 2.     Employing defensive code in the UI to ensure that the current frame is the most top level window Using X-Frame-Options X-Frame-Options  originally invented by Microsoft for IE8, but supported by a number ...
Read more