A wierd ASP.Net bug or is there a better explanation?

Published 08 December 04 09:15 AM | alexcampbell

I think I have come across a wierd bug in the way ASP.Net Session State works within HttpModules.  I know this sounds implausible, but I can't figure out any other explanation. 

More often than not, the following HttpModule throws an NullReferenceException when I try to access httpContext.Session in the PreRequestHandlerExecute handler:

      public class AuthenticationModule : IHttpModule {

 

            HttpContext httpContext;

 

            public void Init(HttpApplication context) {

                  httpContext = context.Context;

                  context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);

            }

 

            public void Dispose() {

            }

 

            private void context_PreRequestHandlerExecute(object sender, EventArgs e) {

                  if(httpContext.Request.IsAuthenticated) {

                        if(httpContext.Session["User"] == null) {

                              // the object in the session has been lost, go back to

                              // the database and rebuild it and put it back in the session

                              // ...

                        }

                  }

            }

      }

This is pretty bizarre behaviour - Session State is definitely enabled across the application.

Comments

# Duncan Godwin said on December 7, 2004 06:53 PM:

You made me curious - a bit of poking around with Reflector reveals that the Session module does an async BeginAcquireState. So it's quite possible it hasn't finished populating the session by the time your code gets executed.

Though it wouldn't be as modular it might be safer to use the AuthenticateRequest event that get's fired in Global.asax.

# Alex Campbell said on December 7, 2004 06:58 PM:

Your theory sounds extremely likely. If you are in fact right, then this is an extremely frustrating bug.

Any ideas for a work around?

According to documentation, AuthenticateRequest doesn't have access to SessionState at all.

# Duncan Godwin said on December 7, 2004 07:08 PM:

Is the session varable based on the GenericPrincipal or is it an application specific object? What about creating a SmartProxy decorator for your user object that transparently initalises the object if it hasn't been populated yet? This would allow code to treat the object uniformly.

# Matt Berther said on December 7, 2004 07:16 PM:

Duncan has a good idea by using the AuthenticateRequest event, but it doesnt need to happen in Global.asax. You can wire up AuthenticateRequest in your own HttpModule as well...

In init do: context.AuthenticateRequest += new EventHandler(Application_AuthenticateRequest)

# Alex Campbell said on December 7, 2004 09:10 PM:

> According to documentation,
> AuthenticateRequest doesn't have access to
> SessionState at all.

This is why I'm using PreRequestHandlerExecute. AuthenticateRequest doesn't have access to SessionState.

Any other ideas?