Vulnerability in EPiServer.Forms
I'm trying to create a new, virtual role that checks for a particular key to be present within a user's session, but the session object is always null. Here's a simplified version of the virtual role. What am I doing wrong?
public class CustomSessionRole : EPiServer.Security.VirtualRoleProviderBase
public override bool IsInVirtualRole(IPrincipal principal, object context)
// HttpContext.Current.Session is always null
if (HttpContext.Current == null || HttpContext.Current.Session == null) return false;
// Never fires
return HttpContext.Current.Session["someKey"] != null;
The virtual role is being added in the web.config's <virtualRoles> section as follows:
<add name="CustomSession" type="MyNamespace.CustomSessionRole, MyDLL" mode="Any" />
My guess would be that you see no session state, because your roles are enumerated before the session state is made available (for your HttpContext object). In this lifecycle documentation, AuthorizeRequest is listed AcquireRequestState, which means you won't have access to session state.
Two alternative suggestions (I prefer the last one, myself):
Hope it helps you out.