Avoid using the Session in The Page Constructor OR in Page Local Variables

While I'm helping the Folks on asp.net forums, I noticed that there is a lot of develoeprs trying to access the Http Session in Page Constructor !

Most of them used this to Implement a kind of Secured Base Page  that checks the session value ,and if its missing , it will redirect to login or whatever page,

some of them write this Class :

public class AdminSecuredPage : System.Web.UI.Page
{

    public AdminSecuredPage()
    {
        if (Session["AdminUser"] == null) {
            Response.Redirect("~/login.aspx");
        }

    }

}

Note that the above class will throws HttpException ,

which tells :

"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> ..."
 

 well the above exception will be thrown because the session is not ready when the Page constructor was called .

 

The Solution : 

One solution is to Move the Code from Page Constructor to  Page_init , Note that the page_init for this class will be called before the the Page_init of its Sub Page Class,

so you can check the Session value as follows:

public class AdminSecuredPage : System.Web.UI.Page
{
    public AdminSecuredPage()
    {}
  
    protected override void OnInit(EventArgs e)
    {
        // if the user is not Admin , redirect to Login Page
        if (Session["AdminUser"] == null)
            Response.Redirect("~/login.aspx");

        // this needed to initialize its base page class
        base.OnInit(e);
    }
}

 

Edit 1:

Note that using the session for that purpose is not a good practice , because there is al ready a built in FormsAuthentication services for asp.net,

however , i will not discuss the security approches here...

 

Edit 2:

I want to mention that you should also avoid accessing the Session in the Page Local Variables , like this example ( look at the Bold word)

Partial Class Page1

Inherits System.Web.UI.Page

 Private LocalVar as string=Session("MyVar")


that will also throw the HttpException !

 

Hope It Helps,

Anas Ghanem

Published Wednesday, May 7, 2008 10:50 PM by anas
Filed under: ,

Comments

# re: Avoid using the Session in The Page Constructor

Thursday, May 8, 2008 5:30 PM by anas

Muntedhar Alhakim,

Thanks for the notes...

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables

Monday, June 2, 2008 3:55 PM by Ion Lamasanu, from Ro

Thank you for your short and concise explanation

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables

Friday, November 21, 2008 7:33 AM by Haider

Thnx alot, My problem solved

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables

Tuesday, January 19, 2010 10:54 AM by Muneeb Fayyaz

Rather putting stuff in page_init, only option is to use preinit page event, while using the third party control initializations based on session variables

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables

Thursday, March 25, 2010 3:16 PM by waqas

the most excellent blog i ever saw. I was stucked in this issue from last 2 days.

Thanks bro

# re: Avoid using the Session in The Page Constructor OR in Page Local Variables

Tuesday, June 1, 2010 8:44 AM by Shivdev Dhanjal

thank you so much buddy, i had been searching the web hay for this needle!!

take care : )