The Global.asax file, sometimes called the ASP.NET application file, provides a way to respond to application or module level events in one central location. You can use this file to implement application security, as well as other tasks.
Overview
The Global.asax file is in the root application directory. While Visual Studio .NET automatically inserts it in all new ASP.NET projects, it's actually an optional file. It's okay to delete it—if you aren't using it. The .asax file extension signals that it's an application file rather than an ASP.NET file that uses aspx.
The Global.asax file is configured so that any direct HTTP request (via URL) is rejected automatically, so users cannot download or view its contents. The ASP.NET page framework recognizes automatically any changes that are made to the Global.asax file. The framework reboots the application, which includes closing all browser sessions, flushes all state information, and restarts the application domain.
Programming
The Global.asax file, which is derived from the HttpApplication class, maintains a pool of HttpApplication objects, and assigns them to applications as needed. The Global.asax file contains the following events:
- Application_Init: Fired when an application initializes or is first called. It's invoked for all HttpApplication object instances.
- Application_Disposed: Fired just before an application is destroyed. This is the ideal location for cleaning up previously used resources.
- Application_Error: Fired when an unhandled exception is encountered within the application.
- Application_Start: Fired when the first instance of the HttpApplication class is created. It allows you to create objects that are accessible by all HttpApplication instances.
- Application_End: Fired when the last instance of an HttpApplication class is destroyed. It's fired only once during an application's lifetime.
- Application_BeginRequest: Fired when an application request is received. It's the first event fired for a request, which is often a page request (URL) that a user enters.
- Application_EndRequest: The last event fired for an application request.
- Application_PreRequestHandlerExecute: Fired before the ASP.NET page framework begins executing an event handler like a page or Web service.
- Application_PostRequestHandlerExecute: Fired when the ASP.NET page framework is finished executing an event handler.
- Applcation_PreSendRequestHeaders: Fired before the ASP.NET page framework sends HTTP headers to a requesting client (browser).
- Application_PreSendContent: Fired before the ASP.NET page framework sends content to a requesting client (browser).
- Application_AcquireRequestState: Fired when the ASP.NET page framework gets the current state (Session state) related to the current request.
- Application_ReleaseRequestState: Fired when the ASP.NET page framework completes execution of all event handlers. This results in all state modules to save their current state data.
- Application_ResolveRequestCache: Fired when the ASP.NET page framework completes an authorization request. It allows caching modules to serve the request from the cache, thus bypassing handler execution.
- Application_UpdateRequestCache: Fired when the ASP.NET page framework completes handler execution to allow caching modules to store responses to be used to handle subsequent requests.
- Application_AuthenticateRequest: Fired when the security module has established the current user's identity as valid. At this point, the user's credentials have been validated.
- Application_AuthorizeRequest: Fired when the security module has verified that a user can access resources.
- Session_Start: Fired when a new user visits the application Web site.
- Session_End: Fired when a user's session times out, ends, or they leave the application Web site.
The event list may seem daunting, but it can be useful in various circumstances.
A key issue with taking advantage of the events is knowing the order in which they're triggered. The Application_Init and Application_Start events are fired once when the application is first started. Likewise, the Application_Disposed and Application_End are only fired once when the application terminates. In addition, the session-based events (Session_Start and Session_End) are only used when users enter and leave the site. The remaining events deal with application requests, and they're triggered in the following order:
- Application_BeginRequest
- Application_AuthenticateRequest
- Application_AuthorizeRequest
- Application_ResolveRequestCache
- Application_AcquireRequestState
- Application_PreRequestHandlerExecute
- Application_PreSendRequestHeaders
- Application_PreSendRequestContent
- {{{{code executed}}}}
- Application_PostRequestHandlerExecute
- Application_ReleaseRequestState
- Application_UpdateRequestCache
- Application_EndRequest
A common use of some of these events is for security. The Global.asax file is the central point for ASP.NET applications. It provides numerous events to handle various application-wide tasks such as user authentication, application start up, application error and dealing with user sessions etc. You should be familiar with this optional file to build robust ASP.NET-based applications.