Hi all,
I'm attempting to create a login/role system for an application i'm
building. My idea is to store an instance of a 'webapp' object in
global.asax. This object stores login (username, ID) and role
information (user, admin etc) which is set on a successful login.
Would it be ok to put this object in the global.asax file and initiate
it on Session_start?
I'm unsure of any potential security implications of doing this.
thanks 8 2992
Is this "webapp" object a per user object? If so, initiating it from
the session_start seems to be the right place.
Alex
Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.
Does this sound like an ok way of doing things?
I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.
One way to do it with forms authentication is set up a user and password
table with role information. You can then use the role settings to allow for
specific page access.
--
Paul G
Software engineer.
"^MisterJin go^" wrote: Yes. I figured having a per user/session object which, when the user logs in, will contain their permissions, ID (for db manipulation) and a few other needed bits of information. Each page will contain an object specifying the access level needed to view that page, with a redirect for failed access.
Does this sound like an ok way of doing things?
I asked about the global.asax as I wanted to make sure storing login information in an object from there was secure ie no-one could manipulate it to login without credentials.
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.
--
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee. com
URL http://clintongallagher.metromilwaukee.com/
"Paul" <Pa**@discussio ns.microsoft.co m> wrote in message
news:07******** *************** ***********@mic rosoft.com... One way to do it with forms authentication is set up a user and password table with role information. You can then use the role settings to allow for specific page access. -- Paul G Software engineer.
"^MisterJin go^" wrote:
Yes. I figured having a per user/session object which, when the user logs in, will contain their permissions, ID (for db manipulation) and a few other needed bits of information. Each page will contain an object specifying the access level needed to view that page, with a redirect for failed access.
Does this sound like an ok way of doing things?
I asked about the global.asax as I wanted to make sure storing login information in an object from there was secure ie no-one could manipulate it to login without credentials.
clintonG wrote: None of this is needed or even possibly desireable with ASP.NET 2.0 Membership, Roles and Profiles.
I can't use membership, roles and profiles as I am using MySQL. I am
not willing to pay out hundreds of pounds a month to host on MS-SQL for
a personal project when I could write what is needed and use MySQL for
free.
I have tried some ODBC membership/role providers but they don't work
or are very buggy.
So out of curiosity, why isn't it desireable?
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.
table 1.
*************** *************** *******
* user id * user name * password * role id*
*************** *************** *******
table2
*************** *************** *
* role id * role level *
*************** *************** *
--
Paul G
Software engineer.
"^MisterJin go^" wrote: clintonG wrote: None of this is needed or even possibly desireable with ASP.NET 2.0 Membership, Roles and Profiles.
I can't use membership, roles and profiles as I am using MySQL. I am not willing to pay out hundreds of pounds a month to host on MS-SQL for a personal project when I could write what is needed and use MySQL for free. I have tried some ODBC membership/role providers but they don't work or are very buggy. So out of curiosity, why isn't it desireable?
Paul wrote: Have not worked with asp.net 2.0 but heard it automates all of this for you or makes it very easy to set up. I used roles, password and user tables with MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred users.
table 1.
*************** *************** ******* * user id * user name * password * role id* *************** *************** ******* table2 *************** *************** * * role id * role level * *************** *************** *
Hi Paul,
This is what I've done. On login auth, a session object stores the role
and it is checked against a page object, redirecting if the user has
not got the needed role.
The objects which create this functionality in .net2.0 are catered to
MS-SQL. Its supposedly possible to inherit from the base of these
objects to write your own version for your own DB. But it seems like a
LOT of work, and the ones i've downloaded from the net (created by
other users for MySQL) don't seem to work correctly.
Also, compared to the objects I can create to enable this
functionality and secure the site, the pre-rolled .net 2.0 ones seem
pretty large.
A few posts up clintonG says writing your own isn't desirable and i'm
curious why - I don't want to inadvertantly leave security holes in the
site.
ok thanks for the additional information. I am wondering why as well,
hopefully clintonG will respond--
Paul G
Software engineer.
"^MisterJin go^" wrote: Paul wrote: Have not worked with asp.net 2.0 but heard it automates all of this for you or makes it very easy to set up. I used roles, password and user tables with MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred users.
table 1.
*************** *************** ******* * user id * user name * password * role id* *************** *************** ******* table2 *************** *************** * * role id * role level * *************** *************** *
Hi Paul,
This is what I've done. On login auth, a session object stores the role and it is checked against a page object, redirecting if the user has not got the needed role. The objects which create this functionality in .net2.0 are catered to MS-SQL. Its supposedly possible to inherit from the base of these objects to write your own version for your own DB. But it seems like a LOT of work, and the ones i've downloaded from the net (created by other users for MySQL) don't seem to work correctly. Also, compared to the objects I can create to enable this functionality and secure the site, the pre-rolled .net 2.0 ones seem pretty large.
A few posts up clintonG says writing your own isn't desirable and i'm curious why - I don't want to inadvertantly leave security holes in the site.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Sahil Malik [MVP] |
last post by:
So here's a rather simple question.
Say in an ASP.NET application, I wish to share common constants as static
variables in global.asax (I know there's web.config bla bla .. but lets just
say I wanna use global.asax) ---
Would you declare your static var as ---
public static int x ;
|
by: hansiman |
last post by:
I use Application_Start in global.asax to set some physical folder
paths ie.:
Application("pdf") = "c:\www\<site>\pdf\"
global.asax uses code behind.
When I move the project from the dev to the production server the
global.asax code behind is compiled into the project.dll (i guess).
This renders the physical paths unusable (naturally). Coming from
|
by: WJ |
last post by:
I am attempting to use the Global.Asax to store my user's configuration.
Here is the concept:
1. User logs on into the site using Form Authentication.
2. I capture the user Credential, verify it and then assign this Logon ID
(user) a so called User's serverside cookie.
3. My system is configured to accept 1,024 concurrent users, this means that
my Global.Asax will host no more than 1,024 Logon IDs and their associated
cookies/variables....
|
by: fd123456 |
last post by:
Hi Tom !
Sorry about the messy quoting, Google is playing tricks on me at the
moment.
> Global.asax is where you normally have the Global Application
> and Session variables and code to manipulate them. It starts
> and ends with <script></script> tags.
>
> Yours looks like a compiled version of it.
|
by: Steve |
last post by:
I am new to this newsgroup & to .NET in general. I have been playing around
with Visual Studio .NET, building and rendering web pages using VB "code
behind" files. My problem / question is;
How do I ensure that changes made to the "Global.asax.vb" file are
immediately reflected in the "Global.asax" file? After I change to the
"Global.asax.vb" file, the "Global.asax" file date modified does not change
and I do not see the updated values...
| |
by: Bill |
last post by:
Anyone have any success in using global.asax to protect images in a folder from being
linked to by external websites?
I'd tried to use global.asa in the past, with no success. Any help would be appreciated.
THANKS,
Bill.
|
by: Larry Epn |
last post by:
Simple question: I have a c# asp.net project that was given to me. It has
the c# code within the <scriptsection of the global.asax file. I would
rather have it in separate files; e.g., global.asax.cs; So, I deleted the
existing global.asax file (there was nothing important in it yet), and went
to add a new one through VS2005. I chose the "Global Application Class"
(Global.asax) item from the list of new items. The "Place code in...
|
by: Dave |
last post by:
I have a site with an App_Code folder that has Global.asax.cs and a
file named Upload.cs.
I want to pass Upload.cs a Session variable (username) that is set in
default.aspx.
Setting up a session variable in default.aspx is no problem, but how
do I make it available to Upload.cs? I think it's a matter of
writting code into the following two files: Global.asax.cs, and
obviously, Upload.cs, but how exactly is it done?
|
by: Joe |
last post by:
Hello all!
I added a Global.asax to my application. I'm using the
Application_BeginRequest event. Everything works fine in my development
enviorment but when I publish the web site the Global.asax file doesn't get
published. If I manually copy it the event doesn't seem to get called.
Any idea what's going on here?
Thanks,
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |