Our company uses an ASP.NET webapp that I have to integrate with an external identity provider. For this, authentication traffic is in certain cases redirected to a handler which references some external library for interpreting the authentican requests from the identity provider.
So in those case where the handler code should be used for communicating with the identity provider, a redirect to it is made in the Global Application_BeginRequest. A bit like this:
Response.Redirect(tempUrl & "/auth/" & companyName & "/login.ashx")
The problem is that the session state is set as being cookieless in the root Web.Config like this:
<sessionState mode="InProc" [snip] cookieless="true" />
This means that the redirects themselves are caught and redirected again with a session id prefixed. From the login.ashx handler a request is sent to an URL at the external identity provider, which authenticates and sends its response back as a POST to the very same handler URL, namely "http://www.thesite.com/auth/somecompany/login.ahsx", however, this time without session id, of course. So again, the POST is redirected as a GET, stripping the response from its form data, so authentication cannot proceed. The request is then redirected back to identity provider in an endless loop.
So, we need to turn off cookieless sessionstate for the particular handler. We've investigated several options.
Firstly, the EnableSessionState attribute cannot, unfortunately, be used on handler page directives.
Then, we tried to change the sessionstate behavior of the request to the particular URL by catching and disabling it in Global.asax.Application_BeginRequest, like so:
HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Disabled)
That seemed to work at one stage, but not anymore and we're not sure why.
We also tried to see whether "cookieless" could be altered dynamically, but the corresponding field appears to be read-only.
We've put a separate Web.config in the "auth" folder and tried to set cookieless to true there, but that was not allowed.
We can catch the response and see whether is being redirected in Application_EndRequest and were wondering whether the redirection and session id insertion could be prevented somehow for the particular URL, but we're not sure how. Does anyone have some tips? We're running out of ideas...