asp.net: where to put code to redirect users without a session to the homepage?

Question

I have a web app with loads of pages and most of them require some session variables in order to function.

i want to put some defensive code in my app. where is the best place to put somethign like:

if (Session.Count == 0){
                Response.Redirect("~/default.aspx");
}

EDIT: how do i check if the current page is defult.aspx?

Answer 1

Quite difficult, yeah fortunately it is solved.

You need to implement Application_PreRequestHandlerExecute in Global.asax

here is the code

    /// <summary>
    /// The event occurs just after Initialization of Session, and before Page_Init event
    /// </summary>
    protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
    {
        // here it checks if session is reuired, as
        // .aspx requires session, and session should be available there
        // .jpg, or .css doesn't require session so session will be null
        // as .jpg, or .css are also http request in any case
        // even if you implemented URL Rewritter, or custom IHttp Module
        if (Context.Handler is IRequiresSessionState
               || Context.Handler is IReadOnlySessionState)
        {
            // here is your actual code
            // check if session is new one
            // or any of your logic
            if (Session.IsNewSession
                || Session.Count < 1)
            {
                // for instance your login page is default.aspx
                // it should not be redirected if,
                // if the request is for login page (i.e. default.aspx)
                if (!Context.Request.Url.AbsoluteUri.ToLower().Contains("/default.aspx"))
                {
                    // redirect to your login page
                    Context.Response.Redirect("~/default.aspx");
                }
            }
        }
    }

Edit 1: Explanation & Conclusion

As one of the guys told about ASP.NET Application Life Cycle.

There are plenty of events that occurs.

Actually events in Global.asax raises in the following sequence

1. Validate Request // looks just internal mechanism

2. Perform URL Maping // looks just internal mechanism

3. Raise the BeginRequest event.

4. Raise the AuthenticateRequest event.
5. Raise the PostAuthenticateRequest event.
6. Raise the AuthorizeRequest event.
7. Raise the PostAuthorizeRequest event.
8. Raise the ResolveRequestCache event.
9. Raise the PostResolveRequestCache event.
10. Just selects a class who implemented IHttpHandler for the application // looks just internal mechanism
11. Raise the PostMapRequestHandler event.
12. Raise the AcquireRequestState event. just before raising this event asp.net loads the State like Session
13. Raise the PostAcquireRequestState event.
14. Raise the PreRequestHandlerExecute event.
15. Call the ProcessRequest method

Conclusion: All the events before AcquireRequestState event don't have Session object, because Session is not loaded by ASP.Net, so any event from *"AcquireRequestState** event gives Session object therefore this problem solves. However some checks are required as I mentioned in above code