Web.config + Locking certain users out of a particular page

[mike55]

Hi,

When my user logs into the system, I create a session variable to store their username and their access level, currently there are only two access levels 1 => administrator or 2 => manager.

The manager has only permission to view some of the pages. Is it possible to set in the web.config file, that a particular page can only be viewed if a person has access = 1.

This is in response to someone once they have logged into the system simple typing the url of a page that they are not suppose to be able to see.

Mike55

 

[PlausiblyDamp]

Rather than implementing your own security model you may want to look at Forms Authentication. that would give you a simple method of administering access via the web.config.

 

[mike55]

Rather than implementing your own security model you may want to look at Forms Authentication. that would give you a simple method of administering access via the web.config.

Yea, am using Form Authentication, however I need to effectively lock down some pages to prevent a certain class of user gaining access to that page.

Mike55.

 

[PlausiblyDamp]

If you are already using forms authentication why are you also storing the user name and access level in a variable? You can always get the username via the User object (User.Identity.Name) and you could then implement a basic group model to control access to resources.

 

[SteveoAtilla]

Yea, am using Form Authentication, however I need to effectively lock down some pages to prevent a certain class of user gaining access to that page.

Mike55.

Each page (in Page_Load) needs to validate security level. If they have access, continue to load, otherwise redirect to error page.