Custom Authentication Module and HTTP Keep-Alive RRS feed

  • Question

  • User-1718186633 posted

    I am porting an ISAPI filter that peforms custom authentication to an HttpModule.  The ISAPI filter uses Basic authentication over SSL and that cannot be changed at this point.  The filter receives the user credentials from the Authorization header and checks the username & password against a database.  I was able to successfully implement the IHttpModule interface and get authentication working, but there is an issue that I cannot seem to figure out. 

    With an ISAPI filter, the SF_NOTIFY_AUTHENTICATION event notification is only called once per connection (http://msdn.microsoft.com/en-us/library/ms524855(v=vs.90).aspx).  As long as HTTP keep-alives are enabled, multiple requests can happen on the same connection once it has been authenticated.  Typically, the brower will retrieve the page HTML and all of the associated image, css, and othe resources using one two connections, meaning authentication only happens twice even though the page may required 20 individual requests.

    In the HttpModule I have written, the AuthenticateRequest event is used to perform the authentication:

    void IHttpModule.Init(System.Web.HttpApplication context)
      context.AuthenticateRequest += new EventHandler(AuthenticateRequestHandler); 
    private void AuthenticateRequestHandler(object sender, EventArgs e)
      ... perform authentication ...

    It seems the AuthenticateRequest event is triggered for every request (rather than every new connection), which seems logical given it's name.  However, I need a way to determine if the connection has already been authenticated so the code can skip the database lookup for every request.  Is there a way to do this using an HttpModule implementation?

    Tuesday, February 19, 2013 8:01 AM


  • User1779161005 posted

    I think you might have a hard time doing this -- the HttpModule and HttpContext abstracts HTTP slightly above the reconnect mechanics at that lower level. If you do find a way, then post here -- it'd be interesting to find out. The only thing I can think is if you implemented it at the native C++/IIS level you might have that lower level of control.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 19, 2013 8:13 AM