By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,231 Members | 1,707 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,231 IT Pros & Developers. It's quick & easy.

Global.asax beginner question

P: n/a
Hi all,

I'm attempting to create a login/role system for an application i'm
building. My idea is to store an instance of a 'webapp' object in
global.asax. This object stores login (username, ID) and role
information (user, admin etc) which is set on a successful login.
Would it be ok to put this object in the global.asax file and initiate
it on Session_start?
I'm unsure of any potential security implications of doing this.
thanks

May 3 '06 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Is this "webapp" object a per user object? If so, initiating it from
the session_start seems to be the right place.

Alex

May 3 '06 #2

P: n/a
Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.

Does this sound like an ok way of doing things?

I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.

May 3 '06 #3

P: n/a
One way to do it with forms authentication is set up a user and password
table with role information. You can then use the role settings to allow for
specific page access.
--
Paul G
Software engineer.
"^MisterJingo^" wrote:
Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.

Does this sound like an ok way of doing things?

I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.

May 3 '06 #4

P: n/a
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.

--
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL http://clintongallagher.metromilwaukee.com/
"Paul" <Pa**@discussions.microsoft.com> wrote in message
news:07**********************************@microsof t.com...
One way to do it with forms authentication is set up a user and password
table with role information. You can then use the role settings to allow
for
specific page access.
--
Paul G
Software engineer.
"^MisterJingo^" wrote:
Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.

Does this sound like an ok way of doing things?

I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.

May 4 '06 #5

P: n/a
clintonG wrote:
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.


I can't use membership, roles and profiles as I am using MySQL. I am
not willing to pay out hundreds of pounds a month to host on MS-SQL for
a personal project when I could write what is needed and use MySQL for
free.
I have tried some ODBC membership/role providers but they don't work
or are very buggy.
So out of curiosity, why isn't it desireable?

May 4 '06 #6

P: n/a
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************

--
Paul G
Software engineer.
"^MisterJingo^" wrote:
clintonG wrote:
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.


I can't use membership, roles and profiles as I am using MySQL. I am
not willing to pay out hundreds of pounds a month to host on MS-SQL for
a personal project when I could write what is needed and use MySQL for
free.
I have tried some ODBC membership/role providers but they don't work
or are very buggy.
So out of curiosity, why isn't it desireable?

May 4 '06 #7

P: n/a

Paul wrote:
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************

Hi Paul,

This is what I've done. On login auth, a session object stores the role
and it is checked against a page object, redirecting if the user has
not got the needed role.
The objects which create this functionality in .net2.0 are catered to
MS-SQL. Its supposedly possible to inherit from the base of these
objects to write your own version for your own DB. But it seems like a
LOT of work, and the ones i've downloaded from the net (created by
other users for MySQL) don't seem to work correctly.
Also, compared to the objects I can create to enable this
functionality and secure the site, the pre-rolled .net 2.0 ones seem
pretty large.

A few posts up clintonG says writing your own isn't desirable and i'm
curious why - I don't want to inadvertantly leave security holes in the
site.

May 4 '06 #8

P: n/a
ok thanks for the additional information. I am wondering why as well,
hopefully clintonG will respond--
Paul G
Software engineer.
"^MisterJingo^" wrote:

Paul wrote:
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************

Hi Paul,

This is what I've done. On login auth, a session object stores the role
and it is checked against a page object, redirecting if the user has
not got the needed role.
The objects which create this functionality in .net2.0 are catered to
MS-SQL. Its supposedly possible to inherit from the base of these
objects to write your own version for your own DB. But it seems like a
LOT of work, and the ones i've downloaded from the net (created by
other users for MySQL) don't seem to work correctly.
Also, compared to the objects I can create to enable this
functionality and secure the site, the pre-rolled .net 2.0 ones seem
pretty large.

A few posts up clintonG says writing your own isn't desirable and i'm
curious why - I don't want to inadvertantly leave security holes in the
site.

May 4 '06 #9

This discussion thread is closed

Replies have been disabled for this discussion.