Home > Articles > Programming > Windows Programming

Extending the ASP.NET Runtime with Custom HTTP Modules

  • Print
  • + Share This
ASP.NET expert Stephen Walther discusses how you can extend the ASP.NET runtime. In this article, you learn how to implement an HTTP module in order to create a custom XML authentication and authorization system.
Like this article? We recommend

Like this article? We recommend

The ASP.NET Framework was designed to be modular. For example, if you don't like the way that Microsoft implemented Session state, caching or authentication, then you can simply replace any of Microsoft's modules with one of your own. This article discusses how you can build your own HTTP modules by walking you through the process of creating an XML authentication and authorization module.

Understanding HTTP Modules

An HTTP module is a class that contains code that executes whenever someone makes a request for a page in your ASP.NET application. Because a module executes each and every time someone makes a request for a page, modules are perfect for implementing functionality such as caching, authentication, and state management.

In the old, ugly, messy days before ASP.NET, the only way to implement the functionality of a module was to create something called an ISAPI filter. Creating an ISAPI filter required significant work. Fortunately, creating an HTTP module requires very little work because you can take advantage of the same programming skills used when building normal ASP.NET pages.

The ASP.NET Framework, by default, makes use of the following modules:

  • OutputCache module—Used for implementing page output caching

  • Session module—Used for implementing Session state

  • WindowsAuthentication module—Used for implementing Windows authentication

  • FormsAuthentication module—Used for implementing Forms authentication

  • PassportAuthentication module—Used for implementing Microsoft Passport authentication

  • The UrlAuthorization module—Used for implementing URL authorization

  • The FileAuthorization module—Used for implementing file authorization by using Windows file system ACLs

All of these modules are called whenever you make a request for a page in an ASP.NET application. For example, the Session module handles the details of storing and retrieving items from Session state between page requests.

These standard modules are listed in the Machine.Config file located in the following folder:


You can find the modules listed in the <httpModules> section of the Machine.Config file. For example, the Machine.Config section on my server looks like this:

 <add name="OutputCache" 
 <add name="Session" 
 <add name="WindowsAuthentication" 
 <add name="FormsAuthentication" 
 <add name="PassportAuthentication" 
 <add name="UrlAuthorization" 
 <add name="FileAuthorization" 

You'll notice that the name and the class responsible for implementing each module are listed. For example, the Session Module is implemented by the System.Web.SessionState.SessionStateModule class.

If you want to modify the way that Session state is implemented in the ASP.NET Framework, you can replace the Session module with your own custom Session module. Simply modify the listing in the <httpModules> section so that it points to your custom class.

Furthermore, if you want to add your own modules to the ASP.NET Framework, then you simply need to list a new module in the <httpModules> section. You can modify the Machine.Config file when you want to use the new module with all applications located on your Web server. Alternatively, if you want to use the new module with a particular application, you can add a Web.Config file to the root directory of that application.

  • + Share This
  • 🔖 Save To Your Account