My ASP.NET application is a league-management system (for soccer
etc.). The league which is being viewed is determined in a URL
parameter, eg.:
http://www.mydomain.com/default.aspx?leagueid=3
(although I'm using URL rewriting to make this nicer, eg
http://www.mydomain.com/myleague/default.aspx, but all the leagues are
driven by the same set of pages - dynamically includes different CSS
to change look and feel for each league).
My problem is this:
For each league, I want users to be able to register, and log in to
see sensitive information (contact details etc).
But the user list has to be different for each league - eg users who
have registered for league A don't automatically get access to league
B's sensitive information, unless they register for league B as well.
If both leagues are driven by the same set of pages, and the only
difference is a URL parameter, how can I check whether they're logged
in or not?
I don't think I can use Forms Authentication, as it can't determine
authorization by URL parameter (as far as I can tell). Also, I'm
already using Forms authentication for a central admin system for the
whole application which is different again... (yipe)
Was thinking of just writing classic ASP-style authentication for the
front end, using Session variables or something...
eg if(Session["league"+thisleagueid+"LoggedIn"]...etc
Would this be evil?
Mike Taylor