Search code examples

User set to nothing in ASP.NET WebForms HTTP Module

I have the below custom module in an web application. The module works from chrome on my PC but when I try to access a video from Android I get an error because the userid (_context.User) is not set. This all occurs after I have logged into the application. Therefore _context.User should be set.

I would have thought because at this level you are dealing with HTTP Requests and Responses that the module would work for any device.

I have two questions.

Is there a way to make this work?

What is the difference between the requests sent by the Android tablet and PC to cause this issue?

Public Class VideoSecurityModule Implements IHttpModule Implements IRequiresSessionState Private WithEvents _context As HttpApplication

Public Sub Dispose() Implements IHttpModule.Dispose
End Sub

Dim myUserManager As UserManager

Public Sub Init(ByVal context As HttpApplication) Implements IHttpModule.Init
    _context = context
    myUserManager = New UserManager
   End Sub

Public Sub Log(value As String, ParamArray args As Object())
    Dim message As String = String.Format(value, args)
    Dim messagePrefix As String = String.Format("{0},{1},{2},{3}", UserAgent, Url, SessionId, message)
    LogManager.WriteMessage(messagePrefix, "")
End Sub

Private ReadOnly Property UserAgent() As String
            Return _context.Request.UserAgent
        Catch ex As Exception
            Return "No User Agent"
        End Try
    End Get
End Property

Private ReadOnly Property Url() As String
            Return _context.Request.Url.PathAndQuery
        Catch ex As Exception
            Return "No URL"
        End Try
    End Get
End Property

Private ReadOnly Property SessionId() As String
            Return __context.Session.SessionID
        Catch ex As Exception
            Return "No URL"
        End Try
    End Get
End Property

Public ReadOnly Property IsReusable() As Boolean
    ' IsReusable must be set to false since class has a member!
        Return True
    End Get
End Property

Public Sub OnAuthorizeRequest(ByVal source As Object, ByVal e As EventArgs) Handles _context.AuthorizeRequest

    If IsVideoUrl() Then

        Dim userId As Integer = GetLoggedInUsersId()
        Log("UserRequiresAuthorization({0}): {1}", userId, UserRequiresAuthorization(userId))
        Log("UserIsAssignedToCourseContainingVideo({0}): {1}", userId, UserIsAssignedToCourseContainingVideo(userId))
        ' if user is not assigned to a course that utilizes the video or the user is not in role super user or system admin
        If (UserRequiresAuthorization(userId) AndAlso Not UserIsAssignedToCourseContainingVideo(userId)) Then
        End If
    End If
End Sub

Private Function GetLoggedInUsersId() As Integer
    Dim userId As Integer = 0
    If (Not _context.User Is Nothing) Then
        userId = myUserManager.GetUserIdByUserName(_context.User.Identity.Name)
    End If
    Log("userId:{0}", userId)
    Return userId
End Function

Private Sub SendAuthenticationRequiredResponse()
    Const networkAuthenticationRequiredStatusCode As Integer = 511
    _context.Response.StatusCode = networkAuthenticationRequiredStatusCode
    _context.Response.Write("UnAuthorized User")
    Log("UnAuthorized User: {0}", "")
End Sub

Private Function IsVideoUrl() As Boolean
    Dim fileLocation As String = System.Configuration.ConfigurationManager.AppSettings("VideoLocation")
    Log("url:{0}", _context.Request.Url)
    Log("IsVideoUrl:{0}", _context.Request.FilePath.ToLower().Contains(fileLocation.ToLower()))
    Return _context.Request.FilePath.ToLower().Contains(fileLocation.ToLower())
End Function

Private Function UserDoesNotRequireAuthorization(userId As Integer) As Boolean
    Return myUserManager.IsSysAdmin(userId) OrElse myUserManager.IsSuperUser(userId)
End Function

Private Function UserRequiresAuthorization(userId As Integer) As Boolean
    Dim result As Boolean = Not UserDoesNotRequireAuthorization(userId)
    Return result
End Function

''' <summary>
''' Returns true if the in-putted user (logged in user) has been allocated to a course that utilize video specified in this request
''' </summary>
Private Function UserIsAssignedToCourseContainingVideo(userId As Integer) As Boolean
    ' ... code removed for clarity
End Function

End Class


  • This is a known issue with a number versions of android. My limited research suggests that video requests are passed to a separate component in android called stagefright. Stagefright can not handle cookies and therefore no authentication cookie is passed to the web application resulting in the _context.User property not being set.

    The following links provide more in depth details.

    Do Mobile Browsers send httpOnly cookies via the HTML5 Audio-Tag?