Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
From the author of

.NET Hook to HTTP Pipe

Figure 1 illustrates the ASP.NET HTTP pipeline. Each incoming HTTP request to the IIS server would be examined by HttpRuntime prior to forwarding it to the appropriate application. A request received by the HttpApplication object is passed to the appropriate application handler. Two interesting interfaces are provided by the .NET framework which can provide a hook to the HTTP request processing pipeline:

  • IHttpModule
  • IHttpHandler

Our objective here is to get access to session information along with the HTTP request. This makes IHttpModule a more meaningful choice because it is higher in the pipeline with access to session variables.

Figure 01

Figure 1 HTTP pipeline for ASP.NET.

To achieve our objective, we will build our own firewall that has access to session variables. In this framework, we will process session-driven rules that can act as a stateful firewall. Let’s build this stateful firewall from scratch and call it StateWall. The complete source code for StateWall is as shown in Listing 1. The next section dissects the source code step-by-step in order to provide clarity in understanding its implementation and will be followed by the section on compilation and deployment of StateWall.

Listing 1

using System;
using System.Collections.Generic;
using System.Text;
using System.Web;
using System.Web.SessionState;

namespace StateWall
{
 public class StateShield : IHttpModule
 {
  public void Init(HttpApplication ctx)
  {
ctx.PreRequestHandlerExecute += new EventHandler(RunSessionRules);
  }

  public void Dispose(){}

  private void RunSessionRules(object sender, EventArgs e)
  {
   HttpContext ctx = HttpContext.Current;
   HttpSessionState session = ctx.Session;
      
   if (ctx.Request.Url.LocalPath == "/logout.aspx")
   {
     session.RemoveAll();
     ctx.Response.Write("All session variables are flushed out!");
     ctx.Response.End();
   }
   if (ctx.Request.Url.LocalPath != "/login.aspx")
   {
     int flag = 0;
     foreach (string key in session.Keys)
     {
      if (key.ToString() == "login")
      {
       if (session[key].ToString() == "successful")
       {
         flag = 1;
       }
      }
     }
     if (flag == 0)
     {
      ctx.Response.Write("Unauthorized access without session.");
      ctx.Response.End();
     }
   }        
  }
 }
}
  • + Share This
  • 🔖 Save To Your Account