I encountered some strange behavior while implementing role-based security. The web application would get stuck in an endless loop at around 16h00 every day. This only happened while running on the web server and could not be reproduced locally in a development environment.
The problem was that the Central Authentication Service (CAS) would invalidate the session tokens after 8 hours. And since most people start at 08h00, the problem would only manifest after 16h00. At this point, the authentication system and the response filter started a tug o’ war – the authentication system trying to redirect the response to the login page and the response filter trying to flush the filtered response back to the client.
Special thanks to Mike D for figuring it out, without even looking at a single line of code… I had to hand over one of my hats.
The solution was simple – to bypass the filter if the response is being redirected (301), line 11:
public class WebApplication : System.Web.HttpApplication
{
public WebApplication()
{
ReleaseRequestState += new EventHandler(OnReleaseRequestState);
}
void OnReleaseRequestState(object sender, EventArgs e)
{
// Ensure that the request is not being redirected before applying the filter
if (HttpContext.Current.Response.StatusCode == (int)HttpStatusCode.Redirect)
return;
// Install the filter
var response = HttpContext.Current.Response;
var request = HttpContext.Current.Request;
response.Filter = new SecurityFilterStream(response.Filter, request);
}
}
lucidcode 