Working on a new version of the learnasp4.com website, I stumbled across an issue with ASP.NET Authentication when streaming video to Google Nexus devices and the Safari Browser.
The new website uses an HTTP Handler to check whether the user is logged in and only serve video files to them if they are. (HTTP Handlers are covered in Session 7 of the Expert Skills course).
On Internet Explorer, FireFox, Chrome and almost everything else, this worked fine. When the browser sendt a request for the video file, it sends all of the ASP.NET session information along with the request and my handler was able to detect whether they were logged in.
However, on the Google Nexus, this doesn’t happen! Instead of sending a request from the Chrome browser, the Google Nexus sends a request from its own media player, known as “Stagefright”. The request from Stagefright is completely divorced from the browser session, so the handler does not see it as a logged-in browser. Naturally, this means that the handler never sends any video to the Google Nexus!
On most devices, this is easily fixed by simply installing Flash. Flash correctly maintains session information when requesting video, so this would be an ideal solution…except Google don’t support Flash on the Nexus.
The plot thickens still further when it becomes clear that Google have known about this issue since November 2008, but it’s interesting to note that the Safari browser has a very similar problem.
When Safari requests a video file, it sends the request through QuickTime. Just like Stagefright, QuickTime sends the request without any session information, preventing the files from being secured using ASP.NET authentication.
This issue seems to be fixed in the latest versions of Safari, so perhaps there is still hope that Stagefright will eventually respect sessions as well.
There are many possible workarounds for this problem (such as providing a querystring parameter to the handler), but since it only seems to affect Google Nexus devices it doesn’t seem unreasonable to call on Google to fix what looks like a serious bug in their browser!