An HTTP module is an assembly that is called on every request that is made to your application. HTTP modules let you examine incoming and outgoing requests and take action based on the request.
eg: BeginRequest, AuthenticationRequest event, EndRequest event etc. You may intercept , participate and modify each request.
Uses for HTTP modules include
1) Security Because you can examine incoming requests, an HTTP module can perform custom authentication or other security checks before the requested page, XML Web service, or handler is called.
2) Statistics and logging Because HTTP modules are called on every request, you can gather request statistics and log information in a centralized module, instead of in individual pages.
3) Custom headers or footers Because you can modify the outgoing response, you can insert content such as custom header information into every page or XML Web service response.
An HTTP module is supposed to implement the following methods of the IHttpModule interface:
||This method allows an HTTP module to register its event handlers to the events in the HttpApplication object.
||This method gives HTTP module an opportunity to perform any clean up before the object gets garbage collected
An HTTP module can register for the following events exposed by the System.Web.HttpApplication object.
||This event is raised when ASP.NET runtime is ready to authenticate the identity of the user.
||This event is raised when ASP.NET runtime is ready to authorize the user for the resources user is trying to access.
||This event is raised when ASP.NET runtime receives a new HTTP request.
||This event is raised just before sending the response content to the client.
||This event is raised when the very first request arrives to the Web application.
||This event is raised just before the application is going to terminate.
||This event is raised for the very first request of the user’s session.
||This event is raised when the session is abandoned or expired.
Registering HTTP Modules in Configuration Files
To add an HTTP module:
<add name=”modulename” type=”classname, assemblyname” />
<add name=”OutputCahe” type=”System.Web.Caching.OutputCacheModule”/>
<add name=”Session” type=”System.Web.SessionState.SessionStateModule”/>
To remove an HTTP module
<remove name=”modulename” />
Implementing an HTTP Module for Providing Security Services
HTTP module that provides security services for our Web application. Our HTTP module will basically provide a custom authentication service. It will receive authentication credentials in HTTP request and will determine whether those credentials are valid.
/// Summary description for Class1.
public class CustomAuthenticationModule : IHttpModule
public void Init(HttpApplication r_objApplication)
// Register our event handler with Application object.
new EventHandler(this.AuthenticateRequest) ;
public void Dispose()
// Left blank because we dont have to do anything.
private void AuthenticateRequest(object r_objSender,
// Authenticate user credentials, and find out user roles.
1. HttpApplication objApp = (HttpApplication) r_objSender ;
2. HttpContext objContext = (HttpContext) objApp.Context ;
3. if ( (objApp.Request[“userid”] == null) ||
4. (objApp.Request[“password”] == null) )
6. objContext.Response.Write(“<H1>Credentials not provided</H1>”) ;
7. objContext.Response.End() ;
9. string userid = “” ;
10. userid = objApp.Request[“userid”].ToString() ;
11. string password = “” ;
12. password = objApp.Request[“password”].ToString() ;
13. string strRoles ;
14. strRoles = AuthenticateAndGetRoles(userid, password) ;
15. if ((strRoles == null) || (strRoles.GetLength(0) == 0))
17. objContext.Response.Write(“<H1>We are sorry but we could not
find this user id and password in our database</H1>”) ;
18. objApp.CompleteRequest() ;
20. GenericIdentity objIdentity = new GenericIdentity(userid,
21. objContext.User = new GenericPrincipal(objIdentity, strRoles) ;
private string AuthenticateAndGetRoles(string r_strUserID,
string strRoles = null ;
if ((r_strUserID.Equals(“Steve”)) &&
strRoles = new String ;
strRoles = “Administrator” ;
else if ((r_strUserID.Equals(“Mansoor”)) &&
strRoles = new string ;
strRoles = “User” ;
return strRoles ;
We start with the Init function. This function plugs in our handler for the AuthenticateRequest event into the Application object’s event handlers list. This will cause the Application object to call this method whenever the AuthenticationRequest event is raised.
Once our HTTP module is initialized, its AuthenticateRequest method will be called for authenticating client requests. AuthenticateRequest method is the heart of the security/authentication mechanism. In that function:
Line 1 and Line 2 extract the HttpApplication and HttpContext objects. Line 3 through Line 7 checks whether any of the userid or password is not provided to us. If this is the case, error is displayed and the request processing is terminated.
Line 9 through Line 12 extract the user id and password from the HttpRequest object.
Line 14 calls a helper function, named AuthenticateAndGetRoles. This function basically performs the authentication and determines the user role. This has been hard-coded and only two users are allowed, but we can generalize this method and add code for interacting with some user database to retrieve user roles.
Line 16 through Line 19 checks whether the user has any role assigned to it. If this is not the case that means the credentials passed to us could not be verified; therefore, these credentials are not valid. So, an error message is sent to the client and the request is completed.
Line 20 and Line 21 are very important because these lines actually inform the ASP.NET HTTP runtime about the identity of the logged-in user. Once these lines are successfully executed, our aspx pages will be able to access this information by using the User object.
Now we have to perform some changes in our web.config file. First of all, since we are using our own custom authentication, we don’t need any other authentication mechanism.
Similarly, don’t allow anonymous users to our Web site. Add the following to web.config file:
Users should at least have anonymous access to the file that they will use for providing credentials. Use the following configuration setting in the web.config file for specifying index.aspx as the only anonymously accessible file: