Understand ihttpmodule interface event execution and obtain session

Recently, a company project has made SQL injection ~ In order to temporarily solve this problem, attackers no longer harm the database.
Initially, we decided to use the ihttpmodule to filter a request.

Public   Class Httpmodule: ihttpmodule
{
Public Httpmodule ()
{
//
//Todo: add the constructor logic here
//
}
Ihttpmodule Member # Region Ihttpmodule Member

Public   Void Init (system. Web. httpapplication context)
{
Context. beginrequest+ = NewEventhandler (reurl_beginrequest );
}
Public   Void Dispose ()
{
//Todo: Add httpmodule. Dispose implementation
}
# Endregion

/**/ ///   <Summary>
///
///   </Summary>
///   <Param name = "sender"> Event Source </Param>
///   <Param name = "E"> Eventargs containing event data </Param>
Private   Void Reurl_beginrequest ( Object Sender, eventargs E)
{
Httpapplication = (Httpapplication) sender;
Httpcontext Context = Application. context;
String Userid =   "" ;
If (Context. Session ! =   Null )
{
Userid=Context. session ["Userid"]. Tostring ();
}
/**/ /*
............ The following filter SQL Injection details are omitted
*/
}
}

I have not noticed before. I only know that the session cannot be obtained in application_start in global. Asa.ProgramThe session status is not loaded at startup!
It is assumed that the session has been loaded during the beginrequest! However, the fact is that context. Session is always null.
On msdn, we checked the event execution sequence as follows:
When processing this request, the httpapplication class will execute the following events. Developers who want to extend the httpapplication class should pay special attention to these events.

1. Verify the request, check the information sent by the browser, and determine whether it contains potentially malicious tags. For more information, see validaterequest and script intrusion overview.
2. If you have configured any URL in the urlmappingssection of the web. config file, perform URL ing.
3. The beginrequest event is triggered.
4. The authenticaterequest event is thrown.
5. Trigger the postauthenticaterequest event.
6. Cause the authorizerequest event.
7. Trigger the postauthorizerequest event.
8. Trigger the resolverequestcache event.
9. The postresolverequestcache event is triggered.
10. Based on the file extension of the requested resource (ing in the application configuration file), select the class that implements ihttphandler to process the request. If the request is for an object (PAGE) derived from the page class and needs to compile the page, ASP. NET will compile the page before creating an instance.
11. Trigger the postmaprequesthandler event.
12. The acquirerequeststate event is triggered.
13. Trigger the postacquirerequeststate event.
14. Trigger the prerequesthandlerexecute event.
15. Call the appropriate Ihttphandler Class processrequest method (or asynchronous beginprocessrequest ). For example, if the request is for a page, the current page instance processes the request.
16. The postrequesthandlerexecute event is thrown.
17. Trigger the releaserequeststate event.
18. The postreleaserequeststate event is triggered.
19. If the filter attribute is defined, the response is filtered.
20. The updaterequestcache event is triggered.
21. Trigger the postupdaterequestcache event.
22. An endrequest event is triggered.

Acquirerequeststate event occurs when the processing program of the actual service request obtains the status information associated with the request. The USERID information in the session can be obtained only when this event occurs. The beginrequest event occurs before the acquirerequeststate.CodeIt cannot be obtained if it is placed in beginrequest.
Therefore, it is feasible to put the above Code in the acquirerequeststate event and change it to the following:

Using System;
Using System. Web;
Namespace Ebzonlibrary
{
/**/ /// <Summary>
///Summary of httpmodule.
/// </Summary>
Public   Class Httpmodule: ihttpmodule
{
Public Httpmodule ()
{
//
//Todo: add the constructor logic here
//
}
Ihttpmodule Member # Region Ihttpmodule Member

Public   Void Init (system. Web. httpapplication context)
{< br> // the session status is not loaded at begin_request
// context. beginrequest + = new eventhandler (reurl_beginrequest);
context. acquirerequeststate += New eventhandler (context_acquirerequeststate);
}

Public   Void Dispose ()
{
//Todo: Add httpmodule. Dispose implementation
}

# Endregion

Private   Void Context_acquirerequeststate ( Object Sender, eventargs E)
{
Httpapplication = (Httpapplication) sender;
Httpcontext Context = Application. context;
String Userid =   "" ;
If (Context. session [ " Userid " ] ! =   Null )
{
Userid=Context. session ["Userid"]. Tostring ();
}
/**/ /*
......
Filter SQL dangerous strings
*/

}

}
}

This test is feasible! It seems that you should pay attention to it!
In addition, you need to configure the following information in Web. config when using the ihttpmodule interface.

< System. Web >

< Httpmodules >
< Add Type = "Ebzonlibrary. httpmodule, ebzonlibrary" Name = "Httpmodule" />
</ Httpmodules >
<! --
......
-->
</ System. Web >