Http Modules

Http Module

An HTTP module is an assembly that is called on every request that is made to your application. HTTP modules let you examine incoming and outgoing requests and take action based on the request.

eg: BeginRequest, AuthenticationRequest event, EndRequest event etc. You may intercept , participate and modify each request.

Uses for HTTP modules include

1) Security   Because you can examine incoming requests, an HTTP module can perform custom authentication or other security checks before the requested page, XML Web service, or handler is called.

2) Statistics and logging   Because HTTP modules are called on every request, you can gather request statistics and log information in a centralized module, instead of in individual pages.

3) Custom headers or footers   Because you can modify the outgoing response, you can insert content such as custom header information into every page or XML Web service response.

 An HTTP module is supposed to implement the following methods of the IHttpModule interface:

Method Name Description
Init This method allows an HTTP module to register its event handlers to the events in the HttpApplication object.
Dispose This method gives HTTP module an opportunity to perform any clean up before the object gets garbage collected

 An HTTP module can register for the following events exposed by the System.Web.HttpApplication object.

  • Event Name
AuthenticateRequest This event is raised when ASP.NET runtime is ready to authenticate the identity of the user.
AuthorizeRequest This event is raised when ASP.NET runtime is ready to authorize the user for the resources user is trying to access.
BeginRequest This event is raised when ASP.NET runtime receives a new HTTP request.
EndRequest This event is raised just before sending the response content to the client.
Global.asax Events
Application_OnStart This event is raised when the very first request arrives to the Web application.
Application_OnEnd This event is raised just before the application is going to terminate.
Session_OnStart This event is raised for the very first request of the user’s session.
Session_OnEnd This event is raised when the session is abandoned or expired.

 Registering HTTP Modules in Configuration Files

To add an HTTP module:


            <add  name=”modulename” type=”classname, assemblyname” />




 <add name=”OutputCahe”  type=”System.Web.Caching.OutputCacheModule”/>

 <add  name=”Session”  type=”System.Web.SessionState.SessionStateModule”/>


 To remove an HTTP module


            <remove  name=”modulename” />


 Implementing an HTTP Module for Providing Security Services

HTTP module that provides security services for our Web application. Our HTTP module will basically provide a custom authentication service. It will receive authentication credentials in HTTP request and will determine whether those credentials are valid.

 using System;

using System.Web;

using System.Security.Principal; 

namespace SecurityModules


 /// <summary>

 /// Summary description for Class1.

 /// </summary> 

 public class CustomAuthenticationModule : IHttpModule


  public CustomAuthenticationModule()



  public void Init(HttpApplication r_objApplication)


   // Register our event handler with Application object.

   r_objApplication.AuthenticateRequest +=

               new EventHandler(this.AuthenticateRequest) ;


   public void Dispose()


   // Left blank because we dont have to do anything.


   private void AuthenticateRequest(object r_objSender,

                                   EventArgs r_objEventArgs)


   // Authenticate user credentials, and find out user roles.

   1. HttpApplication objApp = (HttpApplication) r_objSender ;

   2. HttpContext objContext = (HttpContext) objApp.Context ;

   3. if ( (objApp.Request[“userid”] == null) ||

   4.                     (objApp.Request[“password”] == null) )

   5. {

   6.  objContext.Response.Write(“<H1>Credentials not provided</H1>”) ;

   7.  objContext.Response.End() ;

   8. }

    9. string userid = “” ;

   10. userid = objApp.Request[“userid”].ToString() ;

   11. string password = “” ;

   12. password = objApp.Request[“password”].ToString() ;                                   

   13. string[] strRoles ;

   14. strRoles = AuthenticateAndGetRoles(userid, password) ;

   15. if ((strRoles == null) || (strRoles.GetLength(0) == 0))

   16. {

   17. objContext.Response.Write(“<H1>We are sorry but we could not

       find this user id and password in our database</H1>”) ;

   18. objApp.CompleteRequest() ;

   19. }

    20. GenericIdentity objIdentity = new GenericIdentity(userid,

                                             “CustomAuthentication”) ;

   21. objContext.User = new GenericPrincipal(objIdentity, strRoles) ;


   private string[] AuthenticateAndGetRoles(string r_strUserID,

                                                 string r_strPassword)


   string[] strRoles = null ;

   if ((r_strUserID.Equals(“Steve”)) &&



    strRoles = new String[1] ;

    strRoles[0] = “Administrator” ;


   else if ((r_strUserID.Equals(“Mansoor”)) &&



     strRoles = new string[1] ;

     strRoles[0] = “User” ;                                             


    return strRoles ;




 We start with the Init function. This function plugs in our handler for the AuthenticateRequest event into the Application object’s event handlers list. This will cause the Application object to call this method whenever the AuthenticationRequest event is raised.

 Once our HTTP module is initialized, its AuthenticateRequest method will be called for authenticating client requests. AuthenticateRequest method is the heart of the security/authentication mechanism. In that function:

 Line 1 and Line 2 extract the HttpApplication and HttpContext objects. Line 3 through Line 7 checks whether any of the userid or password is not provided to us. If this is the case, error is displayed and the request processing is terminated.

 Line 9 through Line 12 extract the user id and password from the HttpRequest object.

 Line 14 calls a helper function, named AuthenticateAndGetRoles. This function basically performs the authentication and determines the user role. This has been hard-coded and only two users are allowed, but we can generalize this method and add code for interacting with some user database to retrieve user roles.

 Line 16 through Line 19 checks whether the user has any role assigned to it. If this is not the case that means the credentials passed to us could not be verified; therefore, these credentials are not valid. So, an error message is sent to the client and the request is completed.

 Line 20 and Line 21 are very important because these lines actually inform the ASP.NET HTTP runtime about the identity of the logged-in user. Once these lines are successfully executed, our aspx pages will be able to access this information by using the User object.

 Now we have to perform some changes in our web.config file. First of all, since we are using our own custom authentication, we don’t need any other authentication mechanism.

 <authentication mode=”None”/>

 Similarly, don’t allow anonymous users to our Web site. Add the following to web.config file:


  <deny users=”?”/>


Users should at least have anonymous access to the file that they will use for providing credentials. Use the following configuration setting in the web.config file for specifying index.aspx as the only anonymously accessible file:

 <location path=”index.aspx”>



   <allow users=”*”/>





Leave a comment

Filed under .Net

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s