Access restriction to web application

[Rattlesnake]

Hi,
I have developed an ASP.Net (1.1) application. It uses Windows Authentication.
I have a database that contains a USERS table that list all the users that have access to the application.

In the Session_Start sub I read the Request.ServerVariables("LOGON_USER") variable and check the USER table for this username. If the username doesnot exist in the USERS table i redirect him to a webform (UserError.aspx) that displays a message that he doesnot have access to the system. In the page Load of this form I call Session.Clear() and Session.Abandon().

This seems to work fine , but with one glitch. If the user access the application for. e.g. http://server1/App1/Default.aspx
It takes him to the UserError.aspx page. If he refreshes the page once it again takes him to UserError.aspx. But if he refreshes the page a second time , it takes him to the Default.aspx page. I have noticed that on the 2nd refresh the Session.Clear and Session.Abandon are not run.

Any ideas why???

Is there a better way of restricting access to the application. I don't want to use forms authentication.

Thanks

 

[eramgarden]

I dont think u need to have a table of Users for windows Authentication. Doesnt windows authentication use domain names? If users are part of the domain, they have access. If not, they dont...

Now, I know for Forms authentication, you need to have a list of users/pwds somewhere like in the database...as you have now.

Last application i worked with used Windows Authentication. We didnt have a table of users/pwds to authenticate. It authenticates using WindowsPrincipal:

http://samples.gotdotnet.com/quickstart/aspplus/doc/windowsauth.aspx

http://aspnet.4guysfromrolla.com/articles/031204-1.aspx

 

[Rattlesnake]

Hi,
Sorry for not having explained it more clearly earlier.
I DONT want all the users in my domain to have access to this application. Only a few employees from a specific department need to have access to this application. To specify these users I need to have a table that contains the usernames of the users that should have access to the system.

 

[eramgarden]

Then to answer your question of restriction, that's what we did on my last application as well..have a table to restrtict users.

As for the session, i dont know. Maybe u can set the debugger which i'm sure you've done already. Maybe someone else can give u more ideas..

 

[PlausiblyDamp]

You could simply use the <authorization> section of the web.config to say which users and groups do and don't have access then.

      <authorization>
        <allow roles="Domainname\Groupname" />
        <deny users="?"/>
      </authorization>

 

[Rattlesnake]

But then I will need to update the web.config everytime I need to give a new user access to the application. And changing the web.config resets the application.

 

[Rattlesnake]

One more point is that the access to the application will be controlled by a non-technical guy (the department head), so I need a user interface for him to add/delete users. I dont think that would be possible using the web.config solution.

 

[PlausiblyDamp]

How often are you likely to be ading new users to the system? If you give permissions to roles rather than individual users simply adding the user to the correct domain group will be all that is required.

I've nothing against doing it yourself - however everytime you duplicate existing functionality you are increasing the LOC neewding to be documented, tested, debugged and secured; plus all the extra UI required to implement the solution.

 

[Rattlesnake]

Hi,
Below is the code that I currently have

Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
        ' Fires when the session is started
        Dim sid As String
        Dim UA As New UserAccess
        UA.AssignAccess()
        UA = Nothing
End Sub

Public Function AssignAccess() As Boolean

      'Code to check if HttpContext.Current.User.Identity.Name exists in USER table. 
         IF DoesnotExist
            ' User doesnot have access to the application so redirect him to page "Useraccess.aspx" 
            ' that displays a message that the user doesnot have access to the application
            Dim rdirectpath as String 
            rdirectpath = "/" + "TestApplication + "/UserAccess.aspx"
            HttpContext.Current.Response.Redirect(rdirectpath)
        End If

End Function

'-------------- Page Load of the UserAccess.aspx page -----------------------------------------------
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim NoAccessError As String
        NoAccessError = "You dont have access to this application"
        lblError.Text = NoAccessError
        Session.Clear()
        Session.Abandon()
End Sub

With this code , what happens is that the user is redirected to the UserAccess.aspx page the first time. If he copies the link http://server1/App1/Default.aspx
and pastes it in the same window , the user user is redirected to the UserAcess.apsx page again. But if he pastes it a second time , the user is NOT redirected to the Useraccess.apsx page , but reaches the Default.aspx page.
The Session.Abandon code is not run when he pastes the link a second time.

This is my problem

Thanks