IIS 7 and Above
System.Web.SessionState.HttpSessionState not avilable for request mad...
Last post Oct 20, 2014 04:27 PM by ryanzero
Apr 03, 2007 02:37 AM|mehuls|LINK
I am developing a managed module that can run for requests made to unmanaged content on IIS 7.0. In this module I am using the System.Web.SessionState.HttpSessionState object
to check if the session assosciated with the rquest is newly created session or not.
The isssue I am facing is,the System.Web.SessionState.HttpSessionState is not available for request made to unmanaged content.
The HttpSessionState object is avilable for request made to managed content.The problem is with the request made to unmanaged content.
Any inputs on this would be very helpful.
Apr 03, 2007 12:36 PM|anilr|LINK
Apr 04, 2007 04:33 AM|ankitasdeveloper|LINK
Which module is responsible for mapping ASP.NET session to a request?
Setting the runAllManagedModulesForAllRequests attrubute to ture, makes all managed module to execute for all requests. But it does not work and we can't get session object for *.jpg files (Session is null). It works for *.aspx requests only.
I tried removing preCondition of System.Web.SessionState.SessionStateModule, still it didn;t work.
Apr 04, 2007 02:20 PM|mvolo|LINK
While Anil is right about removing the precondition for the SessionStateModule, the trick is in how SessionStateModule determines whether a particular request requires session state or not (since session state is pretty expensive to get on each request,
particularly when using OOB session state).
One of the things that the module checks is that the handler implements IRequiresSessionState interface. For unmanaged requests, there is no ASP.NET handler set on the request, so no session state is fetched.
You can learn more about the session state module here:
To fake out the module into getting you the session state anyway, just set HttpContext.Handler to a dummy IHttpHandler class that implements IRequiresSessionState (you'll have to write one, but you wont have to implement ProcessRequest - it will never be
called). Do this in PostMapRequestHandler, and only when HttpContext.Handler is already null (meaning ASP.NET wont be called for the handler). You can then remove your handler in PostAcquireRequestState, after the session state module has made its determination.
Apr 14, 2007 10:19 AM|tdjastrzebski|LINK
Thank you, Mike. You help me to find a solution I was seeking for 3 days already!
Dec 23, 2007 11:05 PM|hla|LINK
This brought me also the solution I was looking for. Thanks!
Only one problem was left for me. I had to do the same thing in 1.1, but this older framework version doen't provide the PostMapRequestHandler. The problem is were to set the dummy IHttpHandler. The solution is to set the Handler just like you would do
it in the web.config (Example: <add verb="*" path="*.divx" type=".....DummyHandlerWithSession,....." /> and then removing the handler like described above.
Sep 06, 2009 07:34 AM|darwaish|LINK
Sep 08, 2009 01:16 PM|anilr|LINK
Why do you need to enable session state for content authorization?
Sep 08, 2009 01:28 PM|darwaish|LINK
Sep 10, 2009 01:19 PM|anilr|LINK
Ok, looks like using session is the best way here.
From the symptoms, sounds like you may have some request which is not releasing the session in a timely manner - I would suggest using failed request tracing to see what requests you are seeing with particular session-id and whether any of them are holding
on to the session indefinitely.
Sep 10, 2009 01:27 PM|darwaish|LINK
Oct 19, 2014 11:21 AM|mahdiahmadirad|LINK
Thank you for your useful reply dear Mike Volodarsky,
i have same issue but your solution not working on my custom HTTP Session Module.
you know, according to the Microsoft's Session module source, i handled new session initializations on BeginAcquireState:
public void Init(HttpApplication app)
// Handling OnAcquireRequestState Asynchronously
private IAsyncResult app_BeginAcquireState(object source, EventArgs e, AsyncCallback cb, object extraData)
// Firing Sessoin_Start Event
because your suggestion about adding IRequiresSessionState marker to
HttpContext.Hanlder in PostAcquireRequestState will fire after AcquireRequestState i handled your solution in my
BeginAcquireState and i do it somewhere before firing sessionStart Handler.
HttpApplication app = (HttpApplication)sender;
if (app.Context.Handler is IRequiresSessionState || app.Context.Handler is IReadOnlySessionState)
app.Context.Handler = new DummyHandler(app.Context.Handler);
so DummyHandler is:
public sealed class DummyHandler : IHttpHandler, IRequiresSessionState, IReadOnlySessionState
but unfortunately Sessoin object is still null in the Session_Start.
i just only handled the AcquireRequestState in a async way according to the Microsoft's .NET 4.5 framework
SessionStateModule Source Code.
Have you any suggestion for me to handle your solution in such case?!
Oct 20, 2014 04:27 PM|ryanzero|LINK
I am also having trouble getting the solution working for the SAML authentication module I have been tasked to write. I have tried a few different event triggers to put the HTTP Handler swap, but all end up with the current session being null. Any ideas
if there is something else besides the swap and the runAllManagedModulesForAllRequests attribute that needs to be done to allow me to access session on *all* requests?