Home/ Questions/Q 9041511
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T10:15:23+00:00

I have created an HttpHandler that I will be using with a jquery-Ajax call.

  • 0

I have created an HttpHandler that I will be using with a jquery-Ajax call.

This HttpHandler will access the database and check something related to the currently singed in user.

The user is considered signed in by using the Session, with an attribute called user_id.

Session["user_id"] = userId;

I tried to retrieve this Session in the HttpHandler but that doesn’t seem to work.

So I thought about sending the user_id as a parameter.

    var user_id = //Retrieved in some way...
    $.ajax({
        url: 'QuestionRate.ashx?id=user_id',
        success: function (msg, status, xhr) {
            alert(msg);
        },
        error: function () {
            alert(msg);
        }
    });

But this really seems like a bad idea, anyone who will read the codes can simply access the Handler with the id that he wants.

So what can I do in this situation? I want the Handler to get the user_id for database access, yet I wanna make sure that this user_id is the actual id of the signed in user. There’s no way to access the Session in the Handler?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Passing session id with an ajax call doesn’t sound good.

    You should mark your handler with the marker IReadOnlySessionState interface and access to session as read-only via HttpContext.Current.Session instance.

    Code sample:

    public class FooHandler : IHttpHandler, IReadOnlySessionState 
{
    public bool IsReusable
    {
        get { return false; }
    }

    public void ProcessRequest(HttpContext context)
    {
        string user_id = context.Session["user_id"].ToString();
    }
}
    • 0