locked
Management of permissions in ASP.NET RRS feed

  • Question

  • I am putting an architectural design for an ASP.NET appliction. The application should allow multiple adminsitration levels and authorities. I am thinking of managing the users log on and permissions using session variables. When the user is authenticating, according to his role (which is stored in the database) a "role" session variable is created. when requesting a page, this session variable is tested and according to its value the user either uses the page or he is directed to a "No permission" page. Is there any better method for doing this task?
    Wednesday, August 2, 2006 2:24 PM

All replies

  • Hi Muhammad,

       the question is... if anyone (another process, a hacker, an unscrupulous developer in the organization or any other interested in committing fraud) access to the session variable and overwrite its value? If that could happen, you are facing the risk of "elevating privileges"

       If you are conscius of that and can avoid it... go ahead

       Anyway, I would suggest you to check this article appeared in MSDN Mag on November, 2005

    Design and Deploy Secure Web Apps with ASP.NET 2.0 and IIS 6.0

       Hope it serves

    Thursday, August 3, 2006 6:58 PM
  • Muhammad,

       you can also take an integral look in security with these guidances

       Threat Modeling Web Applications

     

     

    Thursday, August 3, 2006 10:35 PM