HttpContext/IHttpContextAccessor article (#34592)

Author: guardrex

aspnetcore/blazor/security/includes/httpcontext.md renamed to aspnetcore/blazor/components/httpcontext.md

@@ -1,3 +1,17 @@
+---
+title: IHttpContextAccessor/HttpContext in ASP.NET Core Blazor apps
+author: guardrex
+description: Learn about IHttpContextAccessor and HttpContext in ASP.NET Core Blazor apps.
+monikerRange: '>= aspnetcore-3.1'
+ms.author: riande
+ms.custom: mvc
+ms.date: 01/30/2025
+uid: blazor/components/httpcontext
+---
+# `IHttpContextAccessor`/`HttpContext` in ASP.NET Core Blazor apps
+
+[!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
+
 :::moniker range=">= aspnetcore-8.0"
 
 <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> generally should be avoided with interactive rendering because a valid <xref:Microsoft.AspNetCore.Http.HttpContext> isn't always available.
@@ -11,7 +25,14 @@
 public HttpContext? HttpContext { get; set; }
 ```
 
-For scenarios where the <xref:Microsoft.AspNetCore.Http.HttpContext> is required in interactive components, we recommend flowing the data via persistent component state from the server. For more information, see <xref:blazor/security/additional-scenarios#pass-tokens-to-a-server-side-blazor-app>.
+During interactive rendering, an <xref:Microsoft.AspNetCore.Http.HttpContext> instance might not even exist. For scenarios where the <xref:Microsoft.AspNetCore.Http.HttpContext> is required in interactive components, we recommend flowing context data with [persistent component state](xref:blazor/components/prerender#persist-prerendered-state) from the server.
+
+For additional context in *advanced* edge cases&dagger;, see the discussion in the following articles:
+
+* [HttpContext is valid in Interactive Server Rendering Blazor page (`dotnet/AspNetCore.Docs` #34301)](https://github.com/dotnet/AspNetCore.Docs/issues/34301)
+* [Security implications of using IHttpContextAccessor in Blazor Server (`dotnet/aspnetcore` #45699)](https://github.com/dotnet/aspnetcore/issues/45699)
+
+&dagger;Most developers building and maintaining Blazor apps don't need to delve into advanced concepts as long as the general guidance in this article is followed.
 
 :::moniker-end
 
@@ -24,3 +45,5 @@ The recommended approach for passing request state to the Blazor app is through
 A critical aspect of server-side Blazor security is that the user attached to a given circuit might become updated at some point after the Blazor circuit is established but the <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> ***isn't updated***. For more information on addressing this situation with custom services, see <xref:blazor/security/additional-scenarios#circuit-handler-to-capture-users-for-custom-services>.
 
 :::moniker-end
+
+For guidance on <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> and <xref:Microsoft.AspNetCore.Http.HttpContext> in ASP.NET Core SignalR, see <xref:signalr/httpcontext>.

aspnetcore/blazor/components/index.md

@@ -1865,10 +1865,6 @@ For more information, see the following resources:
 * <xref:mvc/views/tag-helpers/builtin-th/component-tag-helper>
 * <xref:blazor/components/integration>
 
-## `IHttpContextAccessor`/`HttpContext`
-
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
-
 <!--Reference links in article-->
 [1]: <xref:mvc/views/razor#code>
 [2]: <xref:mvc/views/razor#using>

aspnetcore/blazor/fundamentals/signalr.md

@@ -1507,10 +1507,6 @@ app.MapBlazorHub();
 + app.MapBlazorHub("/signalr");
 ```
 
-## `IHttpContextAccessor`/`HttpContext`
-
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
-
 ## Impersonation for Windows Authentication
 
 Authenticated hub connections (<xref:Microsoft.AspNetCore.SignalR.Client.HubConnection>) are created with <xref:Microsoft.AspNetCore.Http.Connections.Client.HttpConnectionOptions.UseDefaultCredentials%2A> to indicate the use of default credentials for HTTP requests. For more information, see <xref:signalr/authn-and-authz#windows-authentication>.
@@ -1573,6 +1569,7 @@ In the preceding code, `NavManager` is a <xref:Microsoft.AspNetCore.Components.N
   * <xref:blazor/security/index>
   * <xref:blazor/security/interactive-server-side-rendering>
   * <xref:blazor/security/additional-scenarios>
+* <xref:blazor/components/httpcontext>
 * [Server-side reconnection events and component lifecycle events](xref:blazor/components/lifecycle#blazor-server-reconnection-events)
 * [What is Azure SignalR Service?](/azure/azure-signalr/signalr-overview)
 * [Performance guide for Azure SignalR Service](/azure/azure-signalr/signalr-concept-performance)

aspnetcore/blazor/security/index.md

@@ -108,10 +108,6 @@ The built-in or custom <xref:Microsoft.AspNetCore.Components.Authorization.Authe
 
 For more information on server-side authentication, see <xref:blazor/security/index>.
 
-### `IHttpContextAccessor`/`HttpContext`
-
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
-
 ### Shared state
 
 [!INCLUDE[](~/blazor/security/includes/shared-state.md)]
@@ -1417,6 +1413,7 @@ PII refers any information relating to an identified or identifiable natural per
   * [Microsoft identity platform access tokens](/entra/identity-platform/access-tokens)
 * <xref:security/index>
 * <xref:security/authentication/windowsauth>
+* <xref:blazor/components/httpcontext>
 * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library)
 * [Awesome Blazor: Authentication](https://github.com/AdrienTorris/awesome-blazor#authentication) community sample links
 * <xref:blazor/hybrid/security/index>
@@ -1438,6 +1435,7 @@ PII refers any information relating to an identified or identifiable natural per
   * [Microsoft identity platform ID tokens](/entra/identity-platform/id-tokens)
   * [Microsoft identity platform access tokens](/entra/identity-platform/access-tokens)
 * <xref:security/index>
+* <xref:blazor/components/httpcontext>
 * <xref:security/authentication/windowsauth>
 * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library)
 * [Awesome Blazor: Authentication](https://github.com/AdrienTorris/awesome-blazor#authentication) community sample links

aspnetcore/blazor/security/interactive-server-side-rendering.md

@@ -62,7 +62,7 @@ In general, we recommend that you avoid rendering components that contain sensit
 
 ## `IHttpContextAccessor`/`HttpContext`
 
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
+For more information, see <xref:blazor/components/httpcontext>.
 
 ## Resource exhaustion
 

aspnetcore/fundamentals/http-context.md

@@ -191,7 +191,7 @@ public class EmailController : Controller
 
 ## `IHttpContextAccessor`/`HttpContext` in Razor components (Blazor)
 
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
+For more information, see <xref:blazor/components/httpcontext>.
 
 :::moniker-end
 
@@ -346,6 +346,6 @@ public class EmailController : Controller
 
 ## `IHttpContextAccessor`/`HttpContext` in Razor components (Blazor)
 
-[!INCLUDE[](~/blazor/security/includes/httpcontext.md)]
+For more information, see <xref:blazor/components/httpcontext>.
 
 :::moniker-end

aspnetcore/signalr/httpcontext.md

@@ -0,0 +1,25 @@
+---
+title: IHttpContextAccessor/HttpContext in ASP.NET Core SignalR
+author: guardrex
+description: Learn about IHttpContextAccessor and HttpContext in ASP.NET Core SignalR.
+monikerRange: '>= aspnetcore-3.1'
+ms.author: riande
+ms.custom: mvc
+ms.date: 01/30/2025
+uid: signalr/httpcontext
+---
+# `IHttpContextAccessor`/`HttpContext` in ASP.NET Core SignalR
+
+[!INCLUDE[](~/includes/not-latest-version-without-not-supported-content.md)]
+
+<xref:Microsoft.AspNetCore.Http.IHttpContextAccessor>/<xref:Microsoft.AspNetCore.Http.HttpContext> generally should be avoided with SignalR because a valid <xref:Microsoft.AspNetCore.Http.HttpContext> isn't always available. In most cases, the context doesn't exist (`null`).
+
+Even when an <xref:Microsoft.AspNetCore.Http.HttpContext> instance is available, the context is dependent on the transport:
+
+* WebSockets receives a single context as the result of the initial handshake.
+* Long polling receives a new context per client "poll" request.
+* A SignalR service receives a mocked/faked/shim context.
+
+When working within a SignalR hub, you can access the <xref:Microsoft.AspNetCore.Http.HttpContext> directly using the <xref:Microsoft.AspNetCore.SignalR.GetHttpContextExtensions.GetHttpContext%2A?displayProperty=nameWithType> method. This method returns the <xref:Microsoft.AspNetCore.Http.HttpContext> for the current connection or `null` if the connection isn't associated with an HTTP request. This is particularly useful for retrieving HTTP connection information, such as headers and query strings, directly within the hub. We recommend calling this method over <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> for accessing <xref:Microsoft.AspNetCore.Http.HttpContext> in the hub. For more information, see <xref:signalr/hubs#the-context-object>.
+
+For guidance on <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor>/<xref:Microsoft.AspNetCore.Http.HttpContext> in ASP.NET Core Blazor apps, see <xref:blazor/components/httpcontext>.

aspnetcore/toc.yml

@@ -486,6 +486,8 @@ items:
                 uid: blazor/components/render-modes
               - name: Prerender components
                 uid: blazor/components/prerender
+              - name: IHttpContextAccessor and HttpContext
+                uid: blazor/components/httpcontext
               - name: Generic type support
                 uid: blazor/components/generic-type-support
               - name: Synchronization context
@@ -956,6 +958,9 @@ items:
       - name: Configuration
         uid: signalr/configuration
         displayName: signalr
+      - name: IHttpContextAccessor and HttpContext
+        uid: signalr/httpcontext
+        displayName: signalr
       - name: Authentication and authorization
         uid: signalr/authn-and-authz
         displayName: signalr