Rattlesnake Posted September 16, 2006 Posted September 16, 2006 Hi, I have developed an ASP.Net (1.1) application. It uses Windows Authentication. I have a database that contains a USERS table that list all the users that have access to the application. In the Session_Start sub I read the Request.ServerVariables("LOGON_USER") variable and check the USER table for this username. If the username doesnot exist in the USERS table i redirect him to a webform (UserError.aspx) that displays a message that he doesnot have access to the system. In the page Load of this form I call Session.Clear() and Session.Abandon(). This seems to work fine , but with one glitch. If the user access the application for. e.g. http://server1/App1/Default.aspx It takes him to the UserError.aspx page. If he refreshes the page once it again takes him to UserError.aspx. But if he refreshes the page a second time , it takes him to the Default.aspx page. I have noticed that on the 2nd refresh the Session.Clear and Session.Abandon are not run. Any ideas why??? Is there a better way of restricting access to the application. I don't want to use forms authentication. Thanks Quote When you gotta go,you gotta go !!!!!!!
eramgarden Posted September 16, 2006 Posted September 16, 2006 I dont think u need to have a table of Users for windows Authentication. Doesnt windows authentication use domain names? If users are part of the domain, they have access. If not, they dont... Now, I know for Forms authentication, you need to have a list of users/pwds somewhere like in the database...as you have now. Last application i worked with used Windows Authentication. We didnt have a table of users/pwds to authenticate. It authenticates using WindowsPrincipal: http://samples.gotdotnet.com/quickstart/aspplus/doc/windowsauth.aspx http://aspnet.4guysfromrolla.com/articles/031204-1.aspx Quote
Rattlesnake Posted September 16, 2006 Author Posted September 16, 2006 Hi, Sorry for not having explained it more clearly earlier. I DONT want all the users in my domain to have access to this application. Only a few employees from a specific department need to have access to this application. To specify these users I need to have a table that contains the usernames of the users that should have access to the system. Quote When you gotta go,you gotta go !!!!!!!
eramgarden Posted September 16, 2006 Posted September 16, 2006 Then to answer your question of restriction, that's what we did on my last application as well..have a table to restrtict users. As for the session, i dont know. Maybe u can set the debugger which i'm sure you've done already. Maybe someone else can give u more ideas.. Quote
Administrators PlausiblyDamp Posted September 17, 2006 Administrators Posted September 17, 2006 You could simply use the section of the web.config to say which users and groups do and don't have access then. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Rattlesnake Posted September 18, 2006 Author Posted September 18, 2006 But then I will need to update the web.config everytime I need to give a new user access to the application. And changing the web.config resets the application. Quote When you gotta go,you gotta go !!!!!!!
Rattlesnake Posted September 18, 2006 Author Posted September 18, 2006 One more point is that the access to the application will be controlled by a non-technical guy (the department head), so I need a user interface for him to add/delete users. I dont think that would be possible using the web.config solution. Quote When you gotta go,you gotta go !!!!!!!
Administrators PlausiblyDamp Posted September 18, 2006 Administrators Posted September 18, 2006 How often are you likely to be ading new users to the system? If you give permissions to roles rather than individual users simply adding the user to the correct domain group will be all that is required. I've nothing against doing it yourself - however everytime you duplicate existing functionality you are increasing the LOC neewding to be documented, tested, debugged and secured; plus all the extra UI required to implement the solution. Quote Posting Guidelines FAQ Post Formatting Intellectuals solve problems; geniuses prevent them. -- Albert Einstein
Rattlesnake Posted September 18, 2006 Author Posted September 18, 2006 Hi, Below is the code that I currently have Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs) ' Fires when the session is started Dim sid As String Dim UA As New UserAccess UA.AssignAccess() UA = Nothing End Sub Public Function AssignAccess() As Boolean 'Code to check if HttpContext.Current.User.Identity.Name exists in USER table. IF DoesnotExist ' User doesnot have access to the application so redirect him to page "Useraccess.aspx" ' that displays a message that the user doesnot have access to the application Dim rdirectpath as String rdirectpath = "/" + "TestApplication + "/UserAccess.aspx" HttpContext.Current.Response.Redirect(rdirectpath) End If End Function '-------------- Page Load of the UserAccess.aspx page ----------------------------------------------- Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load Dim NoAccessError As String NoAccessError = "You dont have access to this application" lblError.Text = NoAccessError Session.Clear() Session.Abandon() End Sub With this code , what happens is that the user is redirected to the UserAccess.aspx page the first time. If he copies the link http://server1/App1/Default.aspx and pastes it in the same window , the user user is redirected to the UserAcess.apsx page again. But if he pastes it a second time , the user is NOT redirected to the Useraccess.apsx page , but reaches the Default.aspx page. The Session.Abandon code is not run when he pastes the link a second time. This is my problem :( Thanks Quote When you gotta go,you gotta go !!!!!!!
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.