Last post Aug 04, 2014 09:25 AM by sajanemmanuel
Jul 25, 2014 07:46 AM|sajanemmanuel|LINK
I am kind of stuck with one issue. I have an ASP.NET MVC4 application. I am using Session in InProc mode to keep user specific date. My application will be launched by another application by passing some values via Http Header. Based on these values I decide
whether my application is launched by an authorized entity or not. My problem is bit weird. No issues if I run my application standalone(Not through other application). But if it is launched through via another web application(passing secret value using Http
Header) my Session_Start method in Global_ASAX is getting called two times and application is screwed. I detected this using Trace statements. Please find them below
Line 190: Session ID is p0w4ydap5ry0fy5pgzo4eleu
Line 193: Session started for My Configuration Web Tool
/*Some assembly resolve errors are here. I am using AppDomain.AssemblyResolve event. Please note that Session ID is changed for the below one */
Line 458: Session ID is pp0c5uzcm2132502ri1coniu
Line 461: Session started for My Configuration Web Tool
Below is the code in other application to launch.
HttpWebRequest httpRequest = (HttpWebRequest)HttpWebRequest.Create("http://localhost/MyConfigWebTool");
httpRequest.Method = WebRequestMethods.Http.Get;
httpRequest.MaximumAutomaticRedirections = 10;
httpRequest.AllowAutoRedirect = true;
HttpWebResponse response = (HttpWebResponse)httpRequest.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
string tmp = reader.ReadToEnd();
if (response.StatusCode == HttpStatusCode.Redirect)
In my application I have an Authorize attribute which will read the Http header and perform authorization. Below is the code for that
/// Custom authorization attribute which will take care of the authorization process
public class CustomAuthorizationAttribute : AuthorizeAttribute
#region Protected Method(s)
protected override bool AuthorizeCore(HttpContextBase httpContext)
// If user name is not captured in session, perform the authorization
if (httpContext.Session[DICOMConfigWebUIConstants.UsernameSessionKey] == null)
var userNames = httpContext.Request.Headers.GetValues("username");
if (userNames == null || userNames.Length < 0)
string msg = "Unable to get the user name through Http header";
// Check the authorization
var authHeaderValue = httpContext.Request.Headers.GetValues("Guid");
if (authHeaderValue == null || authHeaderValue.Length < 0)
string msg = "Unable to get the authorization unique ID through Http header";
if (authHeaderValue != "abcd")
string msg = "Mismatch between unique ID through Http header and configured one;
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
string authUrl = PluginAreaBootstrapper.ToolConfiguration.
filterContext.Result = new RedirectResult(authUrl, false);
Can anyone tell what is happening wrong with my application. Most interesting thing is Session_End() is not getting called in between two Session_Start(). Thanks in advance
Jul 25, 2014 08:06 AM|SSA|LINK
Try to trace via Fiddler, what is happening when you fire httpwebrequest?! Simpyl start it and see if there are double request sent.
Jul 25, 2014 08:44 AM|sajanemmanuel|LINK
Thanks for the reply. I am not able to see any request for the target url in Fiddler. But it is coming there and one ajax method is getting called(I can see the same in Fiddler). No idea why the request done through HttpWebRequest is not shown in Fiddler.
Jul 25, 2014 09:15 AM|SSA|LINK
Are you running on localhost. You can follow the tips here for using fiddler with localhost and for all processes.
Jul 25, 2014 09:47 AM|sajanemmanuel|LINK
Yes, I was using localhost. Now changed to my machine name. But still I am not able to see the the request to my entry point url in the application. Let me tell you that in my first application I am making this HttpWebRequest inside an ASP.NET Button's event
handler. Could this be a problem?
Jul 25, 2014 09:48 AM|PatriceSc|LINK
Do you mean it is called two times for a *single* HTTP request ? Keep in mind that:
- the session id is not fixed until you actuall defined a session variable
- if you don't pass the sessionid, then each time you are doing this external HTTP query you'll end up with creating a new session
So if you don't talk about a single request it could be just the expected behavior.
The Session_End behavior doesn't really surprise me (either it is never triggered because you just don't have any session values or it will be called on the sessino expiration. There is not reason for this event to be called, just because another unrelated
session is started), you could have tons of session starts and then only much later a session_end, I see nothing wrong with this).
It could be best to test for this in simple separate project. It might be much simpler to follow what happens and to do some testing rather than if you have also tons of unrelated stuff (such as this AssemblyResolve thing or whatever). At least it would
proove that this other stuff has nothing to do with your current issue.
Jul 28, 2014 04:41 AM|sajanemmanuel|LINK
Thanks to everyone who responded. I think I found the culprit. But don't understand why it is happening. Along with the full http request(The request to load home page), there is an ajax request also in the document ready. Both are targeting different action
methods on the same controller. It seems like Ajax method is triggering the session start again. As somebody suggested above, I am initializing some value in Session too(Inside Session_Start). But still Session_Start is getting called two times. I am uploading
a small sample in Onedrive. The code to launch the application is same(One mentioned above with HttpWebRequest). Here is my sample
Aug 04, 2014 09:25 AM|sajanemmanuel|LINK
Since I am using cookie based session, I have included the below extra line with HttpWebRequest. But still Session_Start() is getting called with each RedirectToAction() call.
CookieContainer cookieContainer = new CookieContainer();
httpRequest.CookieContainer = cookieContainer;