Global.asax beginner question

  • Thread starter Thread starter ^MisterJingo^
  • Start date Start date
M

^MisterJingo^

Hi all,

I'm attempting to create a login/role system for an application i'm
building. My idea is to store an instance of a 'webapp' object in
global.asax. This object stores login (username, ID) and role
information (user, admin etc) which is set on a successful login.
Would it be ok to put this object in the global.asax file and initiate
it on Session_start?
I'm unsure of any potential security implications of doing this.


thanks
 
Is this "webapp" object a per user object? If so, initiating it from
the session_start seems to be the right place.

Alex
 
Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.

Does this sound like an ok way of doing things?

I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.
 
One way to do it with forms authentication is set up a user and password
table with role information. You can then use the role settings to allow for
specific page access.
 
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.
 
clintonG said:
None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.
Click to expand...

I can't use membership, roles and profiles as I am using MySQL. I am
not willing to pay out hundreds of pounds a month to host on MS-SQL for
a personal project when I could write what is needed and use MySQL for
free.
I have tried some ODBC membership/role providers but they don't work
or are very buggy.
So out of curiosity, why isn't it desireable?
 
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************
 
Paul said:
Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************
Click to expand...


Hi Paul,

This is what I've done. On login auth, a session object stores the role
and it is checked against a page object, redirecting if the user has
not got the needed role.
The objects which create this functionality in .net2.0 are catered to
MS-SQL. Its supposedly possible to inherit from the base of these
objects to write your own version for your own DB. But it seems like a
LOT of work, and the ones i've downloaded from the net (created by
other users for MySQL) don't seem to work correctly.
Also, compared to the objects I can create to enable this
functionality and secure the site, the pre-rolled .net 2.0 ones seem
pretty large.

A few posts up clintonG says writing your own isn't desirable and i'm
curious why - I don't want to inadvertantly leave security holes in the
site.
 
ok thanks for the additional information. I am wondering why as well,
hopefully clintonG will respond--
Paul G
Software engineer.
 
Back
Top