How to pass windows authentication from “.aspx” page to “.ashx” handler

Question

I have a page "Download.aspx" which requires Windows Authentication. When the user logs in they are presented with a list of links to files that they can download. The links actually point to a "ZipHandler.ashx" handler which processes the requests based on the parameters passed.

My problem is that HttpContext.Current.User.Identity.IsAuthenticated is false inside the ProcessRequest method of the IHttpHandler when an authenticated user accesses that handler.

I need to check if they are authenticated inside the IHttpHandler because unauthenticated users can also access the handler with different results. I've tested the value of HttpContext.Current.User.Identity.IsAuthenticated inside the "Download.aspx" page and the value is true so I don't understand why this is not the case for the ashx handler. I've tried adding the IReadOnlySessionState and IRequiresSessionState interfaces to my handler but I still have the same problem.

Answer 1

The problem was that the .ashx handler allows anonymous access but Windows Authentication will not even pass the WindowsIdentity along if the handler allows anonymous access. What I did to fix this is to create 2 handler entries in the web.config that point to the same handler class:

<add name="AnonymousHandler" verb="GET" path="*/AnonymousHandler.ashx"
     type="MyLibrary.MyHandler, MyHandler, Version=1.0.0.0, Culture=neutral, 
     PublicKeyToken=12e530ccad45314d"/>

<add name="AuthenticatedHandler" verb="GET" path="*/AuthenticatedHandler.ashx" 
     type="MyLibrary.MyHandler, MyHandler, Version=1.0.0.0, Culture=neutral,
     PublicKeyToken=12e530ccad45314d"/>

then I denied anonymous access to the authenticated version:

<location path="AuthenticatedHandler.ashx">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>