Authentication in ASP.NET HttpHandler

I have created a开发者_JAVA百科 HttpHandler to be used with SWFUpload to upload images to the server. This upload is done in an administration backend so users need to be authenticated to upload images.

Initially I made the whole administration area deny annonymous users but because of the way SWFUpload appears to work it wouldn't work correctly with Forms authentication and would return a 302 status code.

I had thought it would be possible to make the location of my handler public in Web.config and use context.User.Identity.IsAuthenticated in my handler to determine if the user is logged in.

My problem: is that context.User.Identity.IsAuthenticated always seems false in the handler after I have logged in. Does anyone have any thoughts on why this might be?

Yes, you'll need to use IRequiresSessionState:

public class CustomGenericHandler : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
//code
}

All your sessions will then be usable in the generic handler. Hope this helps!

Which browser are you using when testing?

Your solution should work in IE but will fail in FireFox since SwfUpload is Flash based and Flash always send IE cookies to the server since you are logging in (and thereby creating a ASP.NET session cookie) in Firefox but SwfUpload send a different set of cookies.

My problem was specific to some code added to Global.asax to fix SWFUpload cookie bug for non-IE browsers. I had modified the value of the session_cookie_name variable in the Application_BeginRequest event handler to be the same name as I had set in Web.config.

Doing this breaks the functionality across all browsers. The variable value should be left set to its default "ASP.NET_SESSIONID".