Security on page

Security on page

am 11.01.2008 10:57:01 von NH

I am trying to restrict users access to certain pages in my asp.net 2.0 app.

What I have done is I check the users permissions (based on data stored in
database) on the page load event of the page. If they dont have access I just
do a response.redirect to another page.

So it works something like this..

Page Load Event
If ispostback=false then
if userHasPermission = false then
response.redirect("somewhereelse.aspx")
end if
end if

Should I be doing this check on some other page event, or is there a way a
smart user could bypass this check and get access to the page?

Re: Security on page

am 11.01.2008 12:09:30 von Eliyahu Goldin

If you can put all the pages with the same rights into one folder, you
should rather setup the section in the web.config. That is
the place where you grant or deny access to pages, no coding required.

http://support.microsoft.com/kb/316871


--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin

"NH" wrote in message
news:940E170A-BE98-42FC-A8A8-E7CF62CB8946@microsoft.com...
>I am trying to restrict users access to certain pages in my asp.net 2.0
>app.
>
> What I have done is I check the users permissions (based on data stored in
> database) on the page load event of the page. If they dont have access I
> just
> do a response.redirect to another page.
>
> So it works something like this..
>
> Page Load Event
> If ispostback=false then
> if userHasPermission = false then
> response.redirect("somewhereelse.aspx")
> end if
> end if
>
> Should I be doing this check on some other page event, or is there a way a
> smart user could bypass this check and get access to the page?
>
>

Re: Security on page

am 11.01.2008 12:13:41 von Leon Mayne

"NH" wrote in message
news:940E170A-BE98-42FC-A8A8-E7CF62CB8946@microsoft.com...
>I am trying to restrict users access to certain pages in my asp.net 2.0
>app.
>
> What I have done is I check the users permissions (based on data stored in
> database) on the page load event of the page. If they dont have access I
> just
> do a response.redirect to another page.
>
> So it works something like this..
>
> Page Load Event
> If ispostback=false then
> if userHasPermission = false then
> response.redirect("somewhereelse.aspx")
> end if
> end if
>
> Should I be doing this check on some other page event, or is there a way a
> smart user could bypass this check and get access to the page?

It depends on how you are deriving userHasPermission. If this is pulled out
of a cookie value or querystring data then it's possible that a user could
bypass it. If possible you may be better off using Forms Authentication in
your application which will do all this processing for you.

RE: Security on page

am 11.01.2008 12:19:01 von jignesh

There is not need to check Permission on each page.

I feel you should look at MemberShip & Role features of ASP.NET
Also
Check tag of web.config

After quick study of above you should get some good alternative ways.

Regards
JIGNESH.

"NH" wrote:

> I am trying to restrict users access to certain pages in my asp.net 2.0 app.
>
> What I have done is I check the users permissions (based on data stored in
> database) on the page load event of the page. If they dont have access I just
> do a response.redirect to another page.
>
> So it works something like this..
>
> Page Load Event
> If ispostback=false then
> if userHasPermission = false then
> response.redirect("somewhereelse.aspx")
> end if
> end if
>
> Should I be doing this check on some other page event, or is there a way a
> smart user could bypass this check and get access to the page?
>
>