IHttpModule is an excellent interface with which to build a perimeter defense for web applications. It is easy to build and deploy. Numerous validations and session-based decisions can be deployed at the firewall level to guard against several attack vectors. Session variables are very critical for applications and can be used to determine the HTTP state of incoming requests. StateWall is the implementation of the concept of building a session-based application firewall on the .NET server and can be extended to other uses. This approach can help in building a sound defense against critical issues such as session and identity hijacking, and can protect Web applications from some of the security vulnerabilities that crop up due to sloppy coding practices. The true beauty of an application firewall-level defense is that no coding is required to be done at the application level. One-time coding or rule set creation at the firewall level can block multiple holes across the application.