Last post Mar 10, 2009 04:15 AM by ElChe77
Mar 09, 2009 06:06 AM|ElChe77|LINK
I'm new on this forum, so hi all! I've been reading a bit on the handlers/modules forum lately because I've run into a problem in the application I'm currently developing.
My problem in a nutshell:
1. User gets link http://myserver.com/showContent.ashx?id=x
2. User goes to this link, and if user has session, and it's validated that he has the correct license for the content, we add a frameset to the response of ShowContent.ashx which consists of
a) A banner page (Banner.aspx), and
b) Some server stored content that can be anything from .doc, .xml, .html, .swf or even things we don't know about. These lie in folders beneath /Resources/ virtual folder.
This works well.
However - any user can now grab the URL from the frameset, and access the static .html file for example, and then in the future bypass the security here.
What I want to do, is have a httpmodule that intercepts all requests to the topmost virtual path of the server content (i.e. /Resources/*) and checks session and license.
I've tried doing this with a httpmodule and a httphandler.
With the handler, I'm able to get session and do the checks but the page doesn't display anything after processing (even though I've tried just returning from the ProcessRequest method).
With the module, the Session object of the HttpContext is always NULL. I've read a bit about this, and it seems this is because IIS doesn't view this as managed resource and wont do the session stuff. I've not been able to work around this.
The code needs to work on both IIS7 and IIS6.
Could anyone point me in the right direction here?
Thanks a lot!
Mar 10, 2009 04:15 AM|ElChe77|LINK
If anyone's interested, I solved this with http://bhaidar.net/cs/archive/2008/07/17/asp-net-session-state-for-native-http-requests-in-iis-7-0.aspx