Avoid using the Session in The Page Constructor OR in Page Local Variables

Wednesday, May 7, 2008

While I'm helping the Folks on asp.net forums, I noticed that there is a lot of develoeprs trying to access the Http Session in Page Constructor !

Most of them used this to Implement a kind of Secured Base Page that checks the session value ,and if its missing , it will redirect to login or whatever page,

some of them write this Class :

public class AdminSecuredPage : System.Web.UI.Page
{

    public AdminSecuredPage()
    {
        if (Session["AdminUser"] == null) {
            Response.Redirect("~/login.aspx");
        }

    }

}

Note that the above class will throws HttpException ,

which tells :

"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> ..."

well the above exception will be thrown because the session is not ready when the Page constructor was called .

The Solution :

One solution is to Move the Code from Page Constructor to Page_init , Note that the page_init for this class will be called before the the Page_init of its Sub Page Class,

so you can check the Session value as follows:

public class AdminSecuredPage : System.Web.UI.Page
{
    public AdminSecuredPage()
    {}

    protected override void OnInit(EventArgs e)
    {
        // if the user is not Admin , redirect to Login Page
        if (Session["AdminUser"] == null)
            Response.Redirect("~/login.aspx");

        // this needed to initialize its base page class
        base.OnInit(e);
    }
}

Edit 1:

Note that using the session for that purpose is not a good practice , because there is al ready a built in FormsAuthentication services for asp.net,

however , i will not discuss the security approches here...

Edit 2:

I want to mention that you should also avoid accessing the Session in the Page Local Variables , like this example ( look at the Bold word)

Partial Class Page1

Inherits System.Web.UI.Page

Private LocalVar as string=Session("MyVar")

that will also throw the HttpException !

Hope It Helps,

Anas Ghanem

Muntedhar Alhakim,
Thanks for the notes...

anas - Thursday, May 8, 2008 9:30:34 PM

Thank you for your short and concise explanation

Ion Lamasanu, from Ro - Monday, June 2, 2008 7:55:23 PM

Thnx alot, My problem solved

Haider - Friday, November 21, 2008 12:33:29 PM

Rather putting stuff in page_init, only option is to use preinit page event, while using the third party control initializations based on session variables

Muneeb Fayyaz - Tuesday, January 19, 2010 3:54:24 PM

the most excellent blog i ever saw. I was stucked in this issue from last 2 days.

Thanks bro

waqas - Thursday, March 25, 2010 7:16:40 PM

thank you so much buddy, i had been searching the web hay for this needle!!
take care : )

Shivdev Dhanjal - Tuesday, June 1, 2010 12:44:37 PM

6 Comments