470,811 Members | 1,268 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,811 developers. It's quick & easy.

Hide Links Depending on Login

I'm using forms authentication with a database. I have an app that lets
users run online reports. Right now, depending on their login in the DB,
they get redirected to the pages that apply to them. I've noticed that
nothing stops them from browsing out to another users page once they log
in.

I'm thinking maybe I should just hide content instead. Is their any
simple examples of this or is my current way fixable?

Thanks,
Frank

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #1
2 1553
Here is what I did:

In db, assign roles to different users.

In Login Form, save the user role in authentication cookie, like this:
userData = "Role1";
authTicket = new FormsAuthenticationTicket(1, userName,
DateTime.Now, DateTime.Now.AddHours(12), false, userData);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
authCookie.Value = FormsAuthentication.Encrypt(authTicket);
Response.Cookies.Add(authCookie);

In Global.asax, add AuthenticationRequest Handler, like this:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Context.Request.IsAuthenticated)
{
string[] roles;
FormsIdentity identity = (FormsIdentity)
Context.User.Identity;
// IN MY CASE, a user have multiple roles and I store
roles in one column seperated by comma
roles = identity.Ticket.UserData.Split(',');
for (int i= roles.GetLowerBound(0); i <=
roles.GetUpperBound(0); i++)
{
roles[i] = roles[i].Trim();
}
Context.User = new GenericPrincipal(identity, roles);
}

Now, in the page you want dynamic link.
// do something like this:
if (User.IsInRole("Sales"))
// link.Visible = false;
else
// link.Visible = true;

Hope it help

John

Nov 19 '05 #2
Instead of using cookies on the client side, you could set a server session
variable at login and on those pages that are selective you would just check
for the correct value of the session variable. If it is set right, then
allow the page. This is the way I do that on my personal web site.

Evan R. Hicks

"Q. John Chen" wrote:
Here is what I did:

In db, assign roles to different users.

In Login Form, save the user role in authentication cookie, like this:
userData = "Role1";
authTicket = new FormsAuthenticationTicket(1, userName,
DateTime.Now, DateTime.Now.AddHours(12), false, userData);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
authCookie.Value = FormsAuthentication.Encrypt(authTicket);
Response.Cookies.Add(authCookie);

In Global.asax, add AuthenticationRequest Handler, like this:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Context.Request.IsAuthenticated)
{
string[] roles;
FormsIdentity identity = (FormsIdentity)
Context.User.Identity;
// IN MY CASE, a user have multiple roles and I store
roles in one column seperated by comma
roles = identity.Ticket.UserData.Split(',');
for (int i= roles.GetLowerBound(0); i <=
roles.GetUpperBound(0); i++)
{
roles[i] = roles[i].Trim();
}
Context.User = new GenericPrincipal(identity, roles);
}

Now, in the page you want dynamic link.
// do something like this:
if (User.IsInRole("Sales"))
// link.Visible = false;
else
// link.Visible = true;

Hope it help

John

Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Atz | last post: by
19 posts views Thread by benzwt | last post: by
2 posts views Thread by MOHSEN KASHANI | last post: by
reply views Thread by suzy | last post: by
3 posts views Thread by =?Utf-8?B?QmVu?= | last post: by
reply views Thread by mihailmihai484 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.