Null session during AcquireRequestState RRS feed

  • Question

  • User-2085019742 posted

    I am subscribing to the AcquireRequestState event in a HttpModule.
    However HttpContext.Current.Session is null.
    I have checked that "Enable Session State" is configured for the site.

    The site is running on Windows Server 2003 R2 Enterprise Edition SP2

    Any ideas why the session is not being created ?

    Wednesday, November 7, 2007 9:28 AM

All replies

  • User-1091210821 posted

    The global.asax page can have an event handler for AcquireRequestState. This is where a session can be accessed for the first time before the control ends up in the target page itself.

    However if the target page has its EnableSession property set to false, then the Session property can not be accessed (either in the page or in Global.asax) as there will be no session. In such case, if Session property is accessed, the HttpException (with message: Session is not valid in this context) is thrown.

    Context.Session will be null for the pages that have disabled session state

    HttpApplication.AcquireRequestState Event Occurs when ASP.NET acquires the current state (for example, session state) that is associated with the current request.
    There can be other issues such as AcquireRequestState being called multiple times such as when calling multiple resources on the same page, such as Validation controls on the page resulting in  ASP.NET 2.0 where we have the WebResource.axd that gets called to retrieve an embedded resource (in this case the WebUIValidation.js from System.Web.dll) which would be retrieved as a separate request. A workaround to the above could be to add the following code in the AcquireRequestState event.

    if (HttpContext.Current.Request.Url.AbsoluteUri.Contains(".axd"))

    Wednesday, November 7, 2007 10:35 AM
  • User-2085019742 posted

    None of the pages on the site have the EnableSession property set to false.

    The site can be switched between Windows and Forms authentication by changing the setting in the web.config file.

    When running under Forms Authentication the session object is OK but not when running under Windows Authentication.

    In this mode we are using the HttpApplication events to set some session information we set in the logon page when using Forms authentication.

    The application runs OK under Windows Authentication when debugging from Visual Studio but not when deployed. 

    Wednesday, November 7, 2007 11:10 AM
  • User-1091210821 posted
    and just to confirm..what you already know
    Forms Authentication Processing

    The FormsAuthenticationModule is activated when the following element is in Web.config.

    <authentication mode="Forms" />

    Remember that for Forms authentication, you implement the Application_Authenticate event in Global.asax. For Forms authentication, the following sequence occurs:

    • Within this code, you can construct an IPrincipal object and store it in HttpContext.User. This typically contains the role list retrieved from a custom data store (normally a SQL Server database or Active Directory). The IPrincipal object is typically an instance of the GenericPrincipal class but could also be a custom IPrincipal class.

      The FormsAuthenticationModule checks to see if you have created an IPrincipal object. If you have, it is used by the downstream authorization modules. If you haven’t, the FormsAuthenticationModule constructs a GenericPrincipal (with no roles) and stores it in the context.

      If there is no role information, any authorization checks (such as PrincipalPermssion demands) that demand role membership, will fail.

    • The UrlAuthorizationModule handles the AuthorizeRequest event. Its authorization decisions are based on the IPrincipal object contained within HttpContext.User.

    Windows Authentication Processing

    The WindowsAuthenticationModule is activated when the following element is in Web.config.

    <authentication mode="Windows" />

    For Windows authentication, the following sequence occurs:

    1. The WindowsAuthenticationModule creates a WindowsPrincipal object using the Windows access token passed to ASP.NET by IIS.

    2. It uses P/Invoke to call Win32 functions to obtain the list of Windows group that the user belongs to. These are used to populate the WindowsPrincipal role list.

    3. It stores the WindowsPrincipal object in HttpContext.User, ready to be used by the downstream authorization modules.

    Wednesday, November 7, 2007 11:48 AM
  • User-2085019742 posted

    Thanks for the two links.

    I am not trying to support Windows and Forms authentication at the same time. The authentication mode is set at deployment by setting the mode in the web.config file as standard.

    The difference between the code in the links and my approach is that when running under Windows authentication I am setting some information retrieved from a database into the session object using a HttpModule rather than a global.aspx page.

    With Forms authentication I can set this in the logon page and the session object exists as expected.


    With Windows authentication I want to set this information when the first page request is recieved, hence my processing of the AcquireRequestState event. However in this case the session object is null. This remains the case with subsequent events handled by this module (PreRequestHandlerExecute etc)

    public class UserWebModule : IHttpModule{public void Init(HttpApplication httpApp)


    httpApp.AcquireRequestState += new EventHandler(OnAcquireRequestState);

    When OnAcquireRequestState is fired HttpContext.Current.Session is null 




    Wednesday, November 7, 2007 12:09 PM
  • User1634317999 posted

    When OnAcquireRequestState is fired HttpContext.Current.Session is null 


    I have the same problem.

    Friday, December 21, 2007 5:34 AM
  • User-1091210821 posted

    Couple of things to check for

    In ASP.NET 2.0 you can try moving the code to PostAcquireRequestState event (it's new event in 2.0 which is raised just after the state is obtained)

    However you indicated that its null in every event..and hence verify that

    1.Check what (file) is requested, is it an aspx file or something else like axd handler which does not have session enabled (handler does not implement certain required interfaces)?  

    2. Narrow it with an empty project.

    3. Check any overridden Init method of your custom application class ---only when it's not fully initialized (first access after AppDomain start indeed). It may be that the client request is generated too soon for sessions to be yet available.

    4. Check web.config for false setting for sessions


    Friday, December 21, 2007 7:14 AM
  • User1634317999 posted


    Thank you very much for your answer. I will start a new thread in the forum for HttpHandlers and HttpModules.
    Saturday, December 22, 2007 1:57 AM