Anas Ghanem

ASP.NET from the middle east

Syndication

Sponsors

News


    Subscribe in a reader
Avoid using the Session in The Page Constructor OR in Page Local Variables

While I'm helping the Folks on asp.net forums, I noticed that there is a lot of develoeprs trying to access the Http Session in Page Constructor !

Most of them used this to Implement a kind of Secured Base Page  that checks the session value ,and if its missing , it will redirect to login or whatever page,

some of them write this Class :

public class AdminSecuredPage : System.Web.UI.Page
{

    public AdminSecuredPage()
    {
        if (Session["AdminUser"] == null) {
            Response.Redirect("~/login.aspx");
        }

    }

}

Note that the above class will throws HttpException ,

which tells :

"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> ..."
 

 well the above exception will be thrown because the session is not ready when the Page constructor was called .

 

The Solution : 

One solution is to Move the Code from Page Constructor to  Page_init , Note that the page_init for this class will be called before the the Page_init of its Sub Page Class,

so you can check the Session value as follows:

public class AdminSecuredPage : System.Web.UI.Page
{
    public AdminSecuredPage()
    {}
  
    protected override void OnInit(EventArgs e)
    {
        // if the user is not Admin , redirect to Login Page
        if (Session["AdminUser"] == null)
            Response.Redirect("~/login.aspx");

        // this needed to initialize its base page class
        base.OnInit(e);
    }
}

 

Edit 1:

Note that using the session for that purpose is not a good practice , because there is al ready a built in FormsAuthentication services for asp.net,

however , i will not discuss the security approches here...

 

Edit 2:

I want to mention that you should also avoid accessing the Session in the Page Local Variables , like this example ( look at the Bold word)

Partial Class Page1

Inherits System.Web.UI.Page

 Private LocalVar as string=Session("MyVar")


that will also throw the HttpException !

 

Hope It Helps,

Anas Ghanem

Published Wednesday, May 07, 2008 10:50 PM by anas
Filed under: ,

Comments

# Head.SmackOnTable(); &raquo; Blog Archive &raquo; Another way to do user based security@ Wednesday, May 07, 2008 8:22 PM

Pingback from  Head.SmackOnTable();  &raquo; Blog Archive   &raquo; Another way to do user based security

by Head.SmackOnTable(); » Blog Archive » Another way to do user based security

# re: Avoid using the Session in The Page Constructor @ Wednesday, May 07, 2008 8:36 PM

Iv posted on my blog (in response to this) - www.unauthorised-access.com/.../another-way-to-do-user-based-security - I think that might be a better option on how to do things (I know its not based on the session, but asp.net user identity does have roles for a reason)

Monty

by Muntedhar Alhakim

# Link Listing - May 7, 2008@ Thursday, May 08, 2008 8:35 AM

ASP.NET Avoid using the Session in The Page Constructor [Via: anas ] Sharepoint Office SharePoint Server...

by Christopher Steen

# Link Listing - May 7, 2008@ Thursday, May 08, 2008 8:36 AM

Link Listing - May 7, 2008

by Christopher Steen

# re: Avoid using the Session in The Page Constructor @ Thursday, May 08, 2008 5:30 PM

Muntedhar Alhakim,

Thanks for the notes...

by anas

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables @ Monday, June 02, 2008 3:55 PM

Thank you for your short and concise explanation

by Ion Lamasanu, from Ro

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables @ Tuesday, October 14, 2008 10:55 PM

thanks

by ruisu

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables @ Friday, November 21, 2008 7:33 AM

Thnx alot, My problem solved

by Haider

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables @ Saturday, November 29, 2008 9:24 AM

many thanks

by uvi

Leave a Comment

(required) 
(required) 
(optional)
(required)