I have a Web Project which has a Business Layer that handles some data operations. I would like to secure some or all methods by checking if there is an active not ended valid Session before executing the method.

I first thought using Attribute over class but I couldn't run it properly. Since the class is a usual class and not derived from System.Web.Page. the attribute class never runs when the required BL instance is invoked. Besides, some of the methods might not require a valid session, so the whole class might not need a complete security. And also, adding a line that checks the session in every beginning of the method doesn't sound very promising.

If you ask me why would I need to secure by method, I could explain like this:

• This is a web project
• Person might start out the from fill it but never got it save at that moment
• That screen waits about 30 mins lets say
• The session is already ended
• User is back in front of the computer, and clicks SAVE button, but process should NOT be completed

Save operation could easily be a DELETE operation or a SELECT.

Since there are many TYPEs of forms and stuff, I have BL.ItemManager, BL.VideoManager, BL.ServiceManager and so on... So, there are alot of save, delete and select methods inside of these classes.

Therefore, is there a neat way to secure some methods by checking the session before running the process

You may use aspect-oriented approach; PostSharp may be an option.

All you need to do is to create an atrribute using PostSharp to inject code before the method call to check whether the session is alive. Something like;

[SessionAlive]
public void SomeMethod()

Or you may just use Session_End method in the Global.asax file, or you may just use some javascript code to force redirection to login page.

AOP is a great technique for your requirement. You can use PostSharp and Castle's DynamicProxy. These frameworks allow you to intercept method calls and you can do your security check in interceptors.

The biggest technical difference between PostSharp and Castle DynamicProxy is PostSharp modifies your IL code where Castle DynamicProxy creates a derived Type of your class and gives you an instance of new derived at runtime. This means, when you decompile a code that uses PostSharp you see some other codes that are not written in original C Sharp code.

If you choose DynamicProxy approach you should instantiate your classes through a factory, but if you prefer PostSharp you can directly use your classes. All you need is adding some Attributes. On the other hand PostSharp is not free.

Last, you can implement a DynamicProxy by yourself. Here is a simple DynamicProxy generator that I wrote. You can handle before / after method call and on error events. This is just a sample code and if you are planning to use it in an important application you should prefer Castle.

One more possibility would be to use Castle Dynamic proxy - wrap your service with it. Dynamic proxy lets you intercept method calls and wrap them with some generic behaviour - you could intercept only the specific methods you want,and add the session check.

Dynamic Proxy is free unlike postsharp.

AOP is definitely the way to go for this. In addition to the general-purpose AOP frameworks already proposed in other answers, you may be interested to know that the .NET framework includes an AOP mechanism for security verifications of this type. To use it, simply create (and use) an attribute that inherits from CodeAccessSecurityAttribute, along with an IPermission implementation that it can use to verify session validity.