When is Session State ready for use in asp.net

Question

I have an asp.net site, where in i am checking session variable in Global.asax in Application_BeginRequest but it always says object reference not set to an instance of an object, i don't understand this, because i am checking the condition for null before using the value, but still it throws the above error, however when i check it inside the default.aspx Page_Load event it works properly without any issues.

Can anyone tell whats the problem behind this, am i not supposed to use the session variable inside Application_BeginRequest

If yes, then how i will be checking the session value, what i want to achieve is, if user is logged in (If Session["Login"] is not empty means user logged in) and has the rights to access the page, then allow him/her else throw him to the homepage.

Here is what i am doing.
Below function checks for if user is logged in:

public static String LoggedInUser
    {
        get
        {
            if (HttpContext.Current.Session["Login"] == null)
                return String.Empty;
            else
                return HttpContext.Current.Session["Login"].ToString();
        }
        set
        {
            HttpContext.Current.Session["Login"] = value;
        }
    }

Below function checks if user has right to access the page:

public static bool IsPageAllowed(String Pagename)
{
    bool _isPageAllowed = false;
    XmlDocument doc = new XmlDocument();
    doc.Load(HttpContext.Current.Server.MapPath("Pagenames.xml"));
    if (LoggedInUser != String.Empty)
    {
        XmlNodeList list = doc.DocumentElement.SelectNodes("/AllPages/Pages[@user='" + GetLoggedInUserRole(Globals.LoggedInUser).ToLower() + "']/Page[contains(text(), '" + Pagename + "')]");
        if (list.Count > 0)
            _isPageAllowed = true;
    }
    return _isPageAllowed;
}

And below function is used on Application_BeginRequest to redirect user based on their rights:

if (!Globals.IsPageAllowed(rawUrl.Substring(1, rawUrl.Length - 1)))
        {
            Response.Redirect("default.aspx");
        }

Answer 1

Session state is available during and after appropriately named HttpApplication.PostAcquireRequestState.

Occurs when the request state (for example, session state) that is associated with the current request has been obtained.

Full sequence of events with descriptions is available somewhere on [MSDN](http://msdn.microsoft.com/en-us/library/bb470252.aspx and other sites like ASP.NET Application Life Cycle

Shortened list of events below (many events are omitted, see MSDN link for details):

• BeginRequest
• AuthenticateRequest
• AcquireRequestState
• PostAcquireRequestState
• ProcessRequest method (or the asynchronous version IHttpAsyncHandler.BeginProcessRequest) of the appropriate IHttpHandler class for the request. For example, if the request is for a page, the current page instance handles the request.

Note that session state is not available till at least AcquireRequestState (where it may be available if SessionStateModule managed to receive that event before your code). There is no way Session will be available during BeginRequest.

Note that there are explicit authentication events that should be used if you need authentication/authorization (also it is not usable for your case as you keep auth information in session state).