Datasheet

You can see the set of all ISAPI filters that are registered in IIS by using the IIS MMC, right-clicking the

Web Sites node, and then clicking on the ISAPI Filters tab in the dialog box that opens. In Figure 1-2, you

can see that there is currently only one ISAPI filter registered by default — the ASP.NET filter.

Depending on your machine, you may see additional filters that provide services such as compression or

that support Front Page extensions.

Figure 1-2

By default ASP.NET registers the filter with a Low priority, which means that other filters with higher

priorities will have the opportunity to inspect and potentially modify each incoming request. This makes

sense because if, for example, you are running a filter that decompresses incoming HTTP content, you

would want this type of operation to occur prior to ASP.NET carrying out security logic based on the

request’s contents.

The ASP.NET filter handles two ISAPI filter notifications

: SF_NOTIFY_PREPROC_HEADERS and

SF_NOTIFY_URL_MAP. This means the filter has the opportunity to manipulate the request prior to IIS

attempting to do anything with the HTTP headers, and the filter has the opportunity to perform some

extra processing while IIS is converting the incoming HTTP request into a request for a resource located

at a specific physical path on disk.

Processing Headers

The ASP.NET filter inspects the request URL, looking for any cookieless tickets. In ASP.NET 2.0, cookieless

tickets are supported for session state (this was also available in 1.1), forms authentication (previously

available as part of the mobile support in ASP.NET) and anonymous identification (new in ASP.NET 2.0).

A sample URL with a cookieless session state ticket is shown here:

http://localhost/inproc/(S(tuucni55xfzj2xqx1mnqdg55))/Default.aspx

Chapter 1

04_596985 ch01.qxp 12/14/05 7:46 PM Page 6