tags:

views:

180

answers:

3
+3  Q: 

When is it safe to do a Response.Redirect() without throwing an exception?

I have an intermediary class extending System.Web.UI.Page for all of my pages that require authentication. The class mostly does custom authentication handling.

When a user with insufficient access attempts to visit a page, I try to redirect the user back to the login page while preventing any further page events from being executed (ie. Page_load). The first solution that came to mind was the default implementation of Response.Redirect. Of course the downside to this is the possibility of ThreadAbortExceptions being thrown.

So my question is this: When (if at all) during the page life cycle is it actually safe to execute Response.Redirect() without ThreadAbortException ever being thrown?

public class CustomPage : System.Web.UI.Page
{
    protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);
        if (!IsValid())
            Response.Redirect("login.aspx", true);
    }
}
+1  A: 

Curious, why are you doing this yourself? If anything, you should be using one of the authentication providers (ultimately, FormsAuthentication can be customized to handle almost any scenario you can think of).

Then, you can use the authorization element in your web.config file to indicate what pages/directories are not able to be accessed by anonymous users. ASP.NET will take care of the rest, redirecting the user to the login page you specify, as well as redirecting back when the user has logged in.

casperOne  2010-03-29 17:33:32
That was one option I had considered. I thought this was the easiest and most easily maintained of the solutions I came up with. All of the pages requiring authentication are kept in a single directory. There are 5+ roles for accessing the pages and each page in the directory (20+) have different role requirements. I saw myself doing up a location section in the web.config for each page requiring authentication. My other option was to split the files into separate directories for each role. The issue I had with this was path maintenance if a user was in multiple roles.
DDechant  2010-03-29 17:56:47
+3  A: 

It's never "safe" if you're passing true as the second parameter - it will always throw the exception. Internally, Response.Redirect() calls Response.End(), which directly aborts the current thread.

The only "safe" way to truncate an HttpRequest without having an exception thrown is by using HttpApplication.CompleteRequest(), but this will result in further code execution in the current request.

womp  2010-03-29 17:35:32
I'm not sure this is the case. The reason I think otherwise is because Response.End() checks for IsInCancellablePeriod before throwing the exception. So somehow, somewhere Response.End() can be called without hitting that exception.
DDechant  2010-03-29 18:06:46
You'll need to dig deeper. You'll see that IsInCancellablePeriod is entirely controlled by a flag on HttpApplication.IExecutionStep interface objects. This flag is defined as `return !(this._application.Context.Handler is IHttpAsyncHandler);` for any CallHandler implementation (which is what calls ProcessRequest, which is what invokes the page lifecycle). In other words, unless you are executing an asynchronous request, it will always be false for the entire page lifecycle.
womp  2010-03-29 18:37:34
So if I call Response.Redirect("login.aspx") without a try/catch shouldn't it hit HttpApplication.Application_Error (which it isn't)?
DDechant  2010-03-29 19:01:53
I think it should, although I could be wrong. ThreadAbortException is a pretty special case exception.
womp  2010-03-29 19:53:46
A: 

If you don't want a ThreadAbort exception you should pass False to the endResponse parameter. Of course this means you have to process the rest of the page, which is hard to get right.

Unless you are doing something really stupid like holding a lock, it is perfectly safe to throw a ThreadAbort exception in an ASP.NET page.

Another option is to use a Server.Transfer. This has better performance than a redirect, but it too uses ThreadAbort exceptions.

Jonathan Allen  2010-03-29 17:50:57

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?