Security on page

[NH]

I am trying to restrict users access to certain pages in my asp.net 2.0 app.

What I have done is I check the users permissions (based on data stored in
database) on the page load event of the page. If they dont have access I just
do a response.redirect to another page.

So it works something like this..

Page Load Event
If ispostback=false then
if userHasPermission = false then
response.redirect("somewhereelse.aspx")
end if
end if

Should I be doing this check on some other page event, or is there a way a
smart user could bypass this check and get access to the page?

 

[Eliyahu Goldin]

If you can put all the pages with the same rights into one folder, you
should rather setup the <authorization> section in the web.config. That is
the place where you grant or deny access to pages, no coding required.

http://support.microsoft.com/kb/316871

 

[Leon Mayne]

I am trying to restrict users access to certain pages in my asp.net 2.0
app.

What I have done is I check the users permissions (based on data stored in
database) on the page load event of the page. If they dont have access I
just
do a response.redirect to another page.

So it works something like this..

Page Load Event
If ispostback=false then
if userHasPermission = false then
response.redirect("somewhereelse.aspx")
end if
end if

Should I be doing this check on some other page event, or is there a way a
smart user could bypass this check and get access to the page?

It depends on how you are deriving userHasPermission. If this is pulled out
of a cookie value or querystring data then it's possible that a user could
bypass it. If possible you may be better off using Forms Authentication in
your application which will do all this processing for you.

 

[JIGNESH]

There is not need to check Permission on each page.

I feel you should look at MemberShip & Role features of ASP.NET
Also
Check <location> tag of web.config

After quick study of above you should get some good alternative ways.

Regards
JIGNESH.