The global.asax file is used by web applications to handle some application-level events raised by the ASP.NET run time or by registered HTTP modules. The global.asax file is optional. If missing, the ASP.NET run-time environment simply assumes you have no application or module event handlers defined. To be functional, the global.asax file must be located in the root directory of the application. Only one global.asax file per application is accepted. (Files placed in subdirectories are simply ignored.)
ASP.NET global.asax and ASP global.asa files can happily coexist in a web application that makes use of ASPX and ASP files.
When the application is started, the global.asax file, if present, is parsed into a source class and compiled. The resultant assembly is created in the temporary directory just as any other dynamically generated assembly would be. The following listing shows the skeleton of the C# code that ASP.NET generates for any global.asax file:
namespace ASP { public class global_asax : System.Web.HttpApplication { private static bool __initialized = false; // The source code of "global.asax" file is flushed // here verbatim. public global_asax() { if ((ASP.global_asax.__initialized == false)) { ASP.global_asax.__initialized = true; } } } }
The class is called "ASP.global_asax and is derived from the HttpApplication base class. You should note that the entire source code of the global.asax file is inserted in the body of the class. For this reason, you can't have statements outside methods. For example, the following code in global.asax would originate a compile error:
int i; i = 2;
In most cases, you deploy global.asax as a separate text file; however, you can also write it as a class and compile either in a separate assembly or within your project's assembly. The class source code must follow the outline shown earlier and, above all, must derive from HttpApplication. The assembly with the compiled version of global.asax must be deployed in the application's Bin subdirectory.
Note, though, that even if you isolate the logic of the global.asax file in a precompiled assembly, you still need to have a (codeless) global.asax file that refers to the assembly. (This is exactly what happens with Visual Studio .NET projects.)
<%@ Application Inherits="ProAspNet.Global" %>
With a precompiled global application file, you certainly don't risk exposing your source code over the Web to malicious attacks. However, even if you leave it as source code, you're somewhat safe.
The global.asax file, in fact, is configured so that any direct URL request for it is automatically rejected by IIS. In this way, external users cannot download or view the code it contains. The trick that enables this behavior is the following line of code, excerpted from machine.config:
<add verb="*" path="*.asax" <br> type="System.Web.HttpForbiddenHandler" />
ASP.NET registers with IIS to handle .asax resouces, but then processes those direct requests through the HttpForbiddenHandler HTTP handler. As a result, when a browser requests an .asax resource, an error message is returned to the browser.
Dino Esposito is Wintellect's ADO.NET and XML expert, and a trainer and consultant based in Rome, Italy. Dino is a contributing editor to Windows Developer Magazine and MSDN Magazine, and the author of several books for Microsoft Press including Building Web Solutions with ASP.NET and ADO.NET and Applied XML Programming for .NET. Contact Dino at [email protected].