asp application security

Discussion in 'ASP General' started by Bryan Harrington, May 7, 2004.

  1. A little background first.. I'm working from home.. no real team to bounce
    ideas off of, so you guys are it.

    I'm working on an app SQL2k / ASP Classic, the quick and dirty is there is a
    "worklist" of items for users to fix items so that the bill can be payed,
    and there are also a series of reports. All items are grouped into 1 of 12
    categories. Users are members of one of those 12 groups (categories).

    A users worklist can be "filtered" by an admin based on location, bill
    amount, first letter of payee's last name etc. Individual report access is
    also limited based on user rights.

    So.. how to maintain user security. A couple of ideas..

    When a user logs in.. put a bunch of stuff into session variables that I can
    then access as needed.

    Second idea is to put just the logged in userID into a session variable, and
    then call an SP or a function to check security as needed.

    Third idea is to load up an array on login, stuff it on the session, call a
    function on the page(s) as needed to check for appropriate rights

    Last.. stuff some security info into a user specific Application var, and
    call that as needed.. and then kill it on logout

    Thanks for reading.. any thoughts on which may work better? Or a better
    solution perhaps?

    Bryan Harrington, May 7, 2004
    1. Advertisements

  2. Tim M

    Tim M Guest

    The way I'd do it is to put the user's ID in a session variable when they log in. You may also want to assign an access level (eg 1 for system admin, ... 3 normal user, .... 5 read only), as a session variable also. You'd probably want to relate userIDs to categories if they are one-one. Then create a page or function that defines business/accesss rules for each user. This function can then be called each time a transaction is requested. Depending on the transaction requested, the userID, and user access level the function would return true or false. If true the transaction is performed. If false it is denied

    Its often hard to get users to logout. However, the server session timeout (normally about 20 minutes) will end the session and clear the session variables automatically.

    Hope this helps.
    Tim M, May 9, 2004
    1. Advertisements

  3. Bullschmidt

    Bullschmidt Guest

    Perhaps have a login page that asks the user for his username and
    password. And whatever page that posts to (which could be the same page
    for a self posting form) tests these fields against what is in the
    database, sets the username and userlevel session variables accordingly,
    and then redirects to the proper page - i.e. back to the login page if
    the password is wrong (perhaps with a JavaScript popup saying wrong
    username/password combination) or to the main menu page if the password
    is correct:

    Session("UserName") = objRS("UserName")
    Session("UserLevel") = objRS("UserLevel")
    Response.Redirect "mainmenu.asp"

    Then you can use If Then's or Select Case on each page to control
    whether a user is allowed to actually be there and whether particular
    links of where a user can go actually show up.

    If (Session("UserLevel") <> "Admin") And (Session("UserLevel") <>
    "Regular") Then
    Response.Redirect "login.asp"
    End If

    Best regards,
    J. Paul Schmidt, Freelance ASP Web Consultant
    ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...

    *** Sent via Developersdex ***
    Don't just participate in USENET...get rewarded for it!
    Bullschmidt, May 11, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Earl Teigrob
    John Saunders
    Jun 10, 2004
  2. Patrick
    Steven Cheng[MSFT]
    Oct 1, 2004
  3. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Dinis Cruz
    Oct 11, 2003
  4. Michael Randrup
    Henning Krause [MVP]
    Mar 27, 2006
  5. Kursat
    Dominick Baier
    May 7, 2007

Share This Page