Posted: 6/19/2011
Hi,
Not sure 100% if this is the correct forum for this!
The question I have is if you've created you own tables in database for group + user permissions to functionalities, which is the most efficient way to implement security checks if a user can access the various pages/functionalities on your website?Say the options consist of:-1. Storing a permissions object in the SESSION once user logs in. You store a User object with userid, groupid, username, etc, but also a Permissions object which has information to the various functions a user does have access to. When a user visits a particular page, say AddProduct.aspx, which represents the "Add Product" functionality, you check against the Permissions object in session if user has access to it, if not, you redirect the user. Otherwise, you display the page. Advantage: you don't query the database to check if user has permissions to pages/functionalitiesDisadvantage: If an admin user was to change the user's permission to NOT be able to access this page/functionality anymore, it would not take effect until the user logged out and logged back in and the Permissions object in Session was re-created with updated info. 2. Checking directly against database. If a user visits AddProduct, you check directly against the database if the user has permissions to this function/page. If so, displays it, if not, redirect user.Advantage: If an admin user changes the user permission to not be able to access this functionality/page, it will take immediate effect next time the user visits this pageDisadvantage: The database is queried in order to determine if user has access to this functionality/page. This could prove to be an issue for any functionality/page which could have lots of users visiting it.The only other option I can think of for now is storing User permissions for logged in users in Cache, although I'm new to Cache and have not experimented if can access/modify items in cache from my BLL or DAL classes.
Storing the user permissions in session seemed like a not a bad idea to cut down on calls to database, but it introduces that problem that if you had a user on your website that had power and became a troublemaker, you'd want to immediately change the permission and have immediate change and not rely on them to log out...on other hand, you want to decrease the amount of calls made to a database....
Any help with this scenario would be appreciated!Thankyou!
- Mark
Posted: 6/20/2011
For your scenario you should at least implement ASP.NET Membership Role Provider, or you can implement the whole ASP.NET Membership provider. You can manage users, roles and profiles. On the following links you can find samples and nice tutorial how to implement ASP.NET Membership Provider.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
Introduction to Membershiphttp://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
Second, you can try to implement the new provider from Microsoft that Scott Hanselman announce few days ago, "ASP.NET Universal Providers" for Session, Membership, Roles and User Profile on SQL Compact and SQL Azure, its still in alpha version, if you are brave enough I recomend you to try. Using these Universal "Default Profile Providers" means all you have to do is set the right connection string and your applications that use these services will work with SQL Server (plus Express), SQL Server Compact and SQL Azure with no code changes from you.
Here is the link to Scott Hanselman's blog:
http://www.hanselman.com/blog/IntroducingSystemWebProvidersASPNETUniversalProvidersForSessionMembershipRolesAndUserProfileOnSQLCompactAndSQLAzure.aspx
Third, you can write your custom ASP.NET Profile class, you can find more on the following link:
http://odetocode.com/articles/440.aspx
Best Regards,
Gjorgji Dimitrov
Hi Gjorgji.
Thanks for the reply.
I've never looked at ASP.NET Membership, I'll be sure to check it out.
I'm curious though, typically in the scenario that a user attempts to access a public page, say for the sake of a simple example, you have a page on your website AddComment.aspx or something - which allows you to add a comment to a news article...
If the user was put in the "banned" usergroup, instead of "registered", does that mean in AddComment.aspx you first need to check against the database if the user has permissions to this page/functionality? If you store groupid of the user in SESSION, and they have stayed on the website the whole time while you've placed them in the "Banned" usergroup, the groupid in the Session is outdated...ie, it's still the groupid of the "Registered" user group.
I guess the question is in the end...when checking for a user's permission to some public pages that contain certain functionalities for normal Registered users, you need to check against the database if they have the permissions to access that page?Thanks again,
Mark
Posted: 3/30/2012
I would like to scrapbook about my job as I have no pages about teaching!----------------------------[url=http://www.audvdstore.com/]Purchase DVDs in Australia[/url][url=http://www.audvdstore.com/goods-1675-Damages+Seasons+1-4+DVD+Boxset-FREE+SHIPPING.html]Purchase Damages Seasons 1-4 DVD[/url]
