System.Web.HttpException with BasicAuthentication custom HttpModule

Question

I am trying to debug a System.Web.HttpException that I keep getting. It could be related to a BaiscAuthentication custom HttpModule I am trying to implement.

The BasicAuthentication HttpModule is subscribing to two events in the pipeline, BeginRequest and AuthenticateRequest.

All the code that subscribes to the BeginRequest event executes successfully. But before the code subscribing to AuthenticateRequest is executed I get a System.Web.HttpException.

The Exeception is as follows

Exception Details: System.Web.HttpException: This server variable cannot be modified during request execution.

and the stack trace is as follows

[HttpException (0x80004005): This server variable cannot be modified during request execution.]
System.Web.HttpServerVarsCollection.SetServerVariableManagedOnly(String name, String value) +2423129
System.Web.HttpServerVarsCollection.SynchronizeServerVariable(String name, String value) +28
System.Web.HttpRequest.SynchronizeServerVariable(String name, String value) +112
System.Web.Hosting.IIS7WorkerRequest.GetServerVarChanges(HttpContext ctx) +372
System.Web.Hosting.IIS7WorkerRequest.SynchronizeVariables(HttpContext context) +8743312
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +154

The code runs fine on my local machine but not on my host server.

UPDATE

I have found the offending code but not figured out how to fix the bug. Here is the basic code.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;


namespace CustomHttpModule
{    
public class CustomModule : IHttpModule 
{
    public void Init(HttpApplication context)
    {
        context.BeginRequest += new EventHandler(context_BeginRequest);
        context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest);
    }

    public void context_BeginRequest(Object sender, EventArgs e)
    {
        HttpApplication context = (HttpApplication)sender;
        string authHeader = context.Context.Request.Headers["Authorization"];

            if (String.IsNullOrEmpty(authHeader))
            {
                SendAuthHeader(context);
            }

        context.Context.Response.Clear();
        context.Context.Response.Write("Have reached the end of BeginRequest");
        //context.Context.Response.End();   
    }

    private void SendAuthHeader(HttpApplication context)
    {
        context.Response.Clear();
        context.Response.StatusCode = 401;
        context.Response.StatusDescription = "Authorization Request";
        context.Response.AddHeader("WWW-Authenticate", "Basic realm=\"Secure Area\"");
        context.Response.Write("401 baby, please authenticate");
        context.Response.End();
    }

    public void context_AuthenticateRequest(Object sender, EventArgs e)
    {
        HttpApplication context = (HttpApplication)sender;

        context.Context.Response.Clear();
        context.Context.Response.Write("Have reached the Beginning of AuthenticateRequest");
        context.Context.Response.End();
    }

    public void Dispose()
    {
    }
}
}

This code produces the error. But if you change the line..

string authHeader = context.Context.Request.Headers["Authorization"];

to

string authHeader = context.Context.Request.Headers["Host"];

then the code also executes fine.

It seemss to be accessing Headers["Authorization"]; that is causing the bug.

But if you leave Headers["Authorization"]; and uncomment the line //context.Context.Response.End(); then the code also executes fine.

The bug seems to happen between the end of BeginRequest and the start of AuthenticateRequest. But seems to be related to the code Headers["Authorization"];

I have no idea why this should be. I am wondering if it is just a bug with the server as the code runs fine on my local machine.

Answer 1

It looks as though the bug is caused by the server variable AUTH_USERbeing changed which is not allowed by the integrated pipeline in iis7 and above.

http://support.microsoft.com/kb/2605401/en-us?sd=rss&spid=14855

This link gives details.

It says authentication notifications can be handled within a managed module. However I still don't know how to acheive this. But I am going to open a new question on that topic as this question is getting rather lengthy and is effectively solved.