Global.asax - WindowsAuthentication_Authenticate - SessionState null and Multiple Cal

[tahirjadoon]

This is an internal application that uses windows authentication. In WindowsAuthentication_Authenticate method, i am getting the logged in user from the db. If the user is not found or marked as gone then i redirect the user to an error page.

1. WindowsAuthentication_Authenticate This method executes multiple times, including css or js files referenced in the head section.

Code:

<link href="@Url.Stylesheet("Layout.css")" rel="stylesheet" type="text/css" /> 
<script src="@Url.Script("Tools/extensions.js")" type="text/javascript"></script>

In this case, if i have 3 style sheets and 2 js files referenced then this method executes 6 times.


2. Session State Null

Per problem # 1 above, i don't want to hit DB multiple times. To work around it, i tried putting the user information in a session. Here i am getting HttpContext.Current.Session is null. In web.config i don't have any configuration regarding session.

Here is my complete code...

Code:

 protected void WindowsAuthentication_Authenticate(object sender, WindowsAuthenticationEventArgs e)         
{                          
bool isUserFound = false;             
bool isUserGone = false;             
UtilityService utility = newUtilityService();               
string rawurl = HttpContext.Current.Request.RawUrl;               
 if (e.Identity.IsAuthenticated)             
{                 
if (userPlaceHolder == null) //local property to tackle hitting DB multiple times                 
{                     
 UserInternal userInternal = utility.GetLoggedInUser(e.Identity.Name);                     
if (userInternal != null)                     
{                         
 userPlaceHolder = userInternal;                         
isUserFound = true;                         
//TODO: check for gone, you can use userInternal or userPlaceHolder  
isUserGone = false;                     
}                 
}                 
else                 
{                     
 isUserFound = true;                     
//TODO: check for gone, use userPlaceHolder                     
isUserGone = false;                 
}             
}                         
 //set the user             
if (isUserFound && !isUserGone)             
{                 
string role = String.IsNullOrWhiteSpace(userPlaceHolder.UserClass) ? String.Empty : userPlaceHolder.UserClass;                 
// Setting the current user and role in the Principal                 
e.User = new System.Security.Principal.GenericPrincipal(e.Identity, newstring[] { role });                 
HttpContext.Current.User = e.User;             
}               
//handle gone and user not found             
if (!rawurl.LowerInvariantContains(ControllerNames.Message) &&
!rawurl.LowerInvariantContains(".css") &&
!rawurl.LowerInvariantContains(".js") &&
!rawurl.LowerInvariantContains(".jpg") &&
!rawurl.LowerInvariantContains(".gif") &&
!rawurl.LowerInvariantContains(".png"))             
{                 
if (!isUserFound || isUserGone)                 
{                     
string url = String.Empty;                     
if (isUserGone)                         
url = utility.GetSiteRestrictedLink(ProcessingMessagesEnum.UserLocked);                     
else                         
url = utility.GetSiteRestrictedLink(ProcessingMessagesEnum.UserNotAuthorizedToViewSite); ;                     
 HttpContext.Current.Response.Redirect(url);                 
}             
}         
}

[wwb_99]

Remember each request is a separate execution of the global context, hence the general advice to move static assets off to a separate server. So your windows auth calls make sense -- your stylesheets and such are a request and windows auth is being performed.

Several ways around this, what are you trying to achieve here?

[tahirjadoon]

Basically,

I want to check the logged in user against the DB for the following two conditions
1. user is in the employee db
2. user is not marked as gone

If any of the above conditions is true then i want to redirect the user to the error page. (Active dir should handle this and user should not get authenticated at the first place. I am doing redundant checks, what if HR has updated the employee db but systems failed to update at their end).

Should i move the checking to application start since that executes only once? If yes, then how can i set the user:

Code:

// Setting the current user and role in the Principal                 
e.User = new System.Security.Principal.GenericPrincipal(e.Identity, newstring[] { role });                 
HttpContext.Current.User = e.User;

I only want to hit the DB once in WindowsAuthentication_Authenticate.

[wwb_99]

Application start won't work unless this is single instance. Session start might work since it is per-user, but I hate to rely upon sessions.

It is happening once per request, trick is your setup is running every request through .NET so each resource re-authenticate. Since HttpModules are global, that is how it rolls.

Easiest solution is probably to find a way to setup the static resources to not end up running through the .NET pipeline.

[webcosmo]

This process could be much simplified if you would use a login page where you do all the authentication things.

If you use a master page you can check authentication state. if not auth. redirect to login page.

Or you can use a httphandler for the redirect part that could do the checking job on every request.

[tahirjadoon]

This apps requirement is windows authentication and not the form.

I have some checks/traps in place now and testing.

[tahirjadoon]

wwb_99, looks like the request executes for css and js resources etc only on the local dev. Remote dev site is not doing this.

[wwb_99]

Well, that would help. Basically, IIS6 won't, but IIS7 in integrated mode and/or cassini will execute all code through the managed pipeline.

[tahirjadoon]

I ask again:
Several ways to handle this situation, what you are trying to achieve here?

My post #3 above has the details...

Application uses windows authentication.

At a central location, i want to make the checks specified in post#3.

I don't want to handle this via base controller.