The other day I was working on writing an HttpHandler for a website. The HttpHandler implements some functions from a custom MembershipProvider that provides some “hook” methods for calling applications. Everything seemed to work fine until we started to get some exceptions in an Ektron site that uses the HttpHanlder and customer MembershipProvider. After some time spent digging for answers, it turned out that the Ektron authentication process used session state, which is not enabled by default within the context of an HttpHandler. The fix for this was quite simple: implement the IRequiresSessionState interface in the HttpModule.