By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
448,469 Members | 1,003 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 448,469 IT Pros & Developers. It's quick & easy.

Hide Links Depending on Login

P: n/a
I'm using forms authentication with a database. I have an app that lets
users run online reports. Right now, depending on their login in the DB,
they get redirected to the pages that apply to them. I've noticed that
nothing stops them from browsing out to another users page once they log
in.

I'm thinking maybe I should just hide content instead. Is their any
simple examples of this or is my current way fixable?

Thanks,
Frank

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Here is what I did:

In db, assign roles to different users.

In Login Form, save the user role in authentication cookie, like this:
userData = "Role1";
authTicket = new FormsAuthenticationTicket(1, userName,
DateTime.Now, DateTime.Now.AddHours(12), false, userData);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
authCookie.Value = FormsAuthentication.Encrypt(authTicket);
Response.Cookies.Add(authCookie);

In Global.asax, add AuthenticationRequest Handler, like this:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Context.Request.IsAuthenticated)
{
string[] roles;
FormsIdentity identity = (FormsIdentity)
Context.User.Identity;
// IN MY CASE, a user have multiple roles and I store
roles in one column seperated by comma
roles = identity.Ticket.UserData.Split(',');
for (int i= roles.GetLowerBound(0); i <=
roles.GetUpperBound(0); i++)
{
roles[i] = roles[i].Trim();
}
Context.User = new GenericPrincipal(identity, roles);
}

Now, in the page you want dynamic link.
// do something like this:
if (User.IsInRole("Sales"))
// link.Visible = false;
else
// link.Visible = true;

Hope it help

John

Nov 19 '05 #2

P: n/a
Instead of using cookies on the client side, you could set a server session
variable at login and on those pages that are selective you would just check
for the correct value of the session variable. If it is set right, then
allow the page. This is the way I do that on my personal web site.

Evan R. Hicks

"Q. John Chen" wrote:
Here is what I did:

In db, assign roles to different users.

In Login Form, save the user role in authentication cookie, like this:
userData = "Role1";
authTicket = new FormsAuthenticationTicket(1, userName,
DateTime.Now, DateTime.Now.AddHours(12), false, userData);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
authCookie.Value = FormsAuthentication.Encrypt(authTicket);
Response.Cookies.Add(authCookie);

In Global.asax, add AuthenticationRequest Handler, like this:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Context.Request.IsAuthenticated)
{
string[] roles;
FormsIdentity identity = (FormsIdentity)
Context.User.Identity;
// IN MY CASE, a user have multiple roles and I store
roles in one column seperated by comma
roles = identity.Ticket.UserData.Split(',');
for (int i= roles.GetLowerBound(0); i <=
roles.GetUpperBound(0); i++)
{
roles[i] = roles[i].Trim();
}
Context.User = new GenericPrincipal(identity, roles);
}

Now, in the page you want dynamic link.
// do something like this:
if (User.IsInRole("Sales"))
// link.Visible = false;
else
// link.Visible = true;

Hope it help

John

Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.