asp application security

[Bryan Harrington]

A little background first.. I'm working from home.. no real team to bounce
ideas off of, so you guys are it.

I'm working on an app SQL2k / ASP Classic, the quick and dirty is there is a
"worklist" of items for users to fix items so that the bill can be payed,
and there are also a series of reports. All items are grouped into 1 of 12
categories. Users are members of one of those 12 groups (categories).

A users worklist can be "filtered" by an admin based on location, bill
amount, first letter of payee's last name etc. Individual report access is
also limited based on user rights.

So.. how to maintain user security. A couple of ideas..

When a user logs in.. put a bunch of stuff into session variables that I can
then access as needed.

Second idea is to put just the logged in userID into a session variable, and
then call an SP or a function to check security as needed.

Third idea is to load up an array on login, stuff it on the session, call a
function on the page(s) as needed to check for appropriate rights

Last.. stuff some security info into a user specific Application var, and
call that as needed.. and then kill it on logout

Thanks for reading.. any thoughts on which may work better? Or a better
solution perhaps?

Thanks!

 

[Tim M]

The way I'd do it is to put the user's ID in a session variable when they log in. You may also want to assign an access level (eg 1 for system admin, ... 3 normal user, .... 5 read only), as a session variable also. You'd probably want to relate userIDs to categories if they are one-one. Then create a page or function that defines business/accesss rules for each user. This function can then be called each time a transaction is requested. Depending on the transaction requested, the userID, and user access level the function would return true or false. If true the transaction is performed. If false it is denied

Its often hard to get users to logout. However, the server session timeout (normally about 20 minutes) will end the session and clear the session variables automatically.

Hope this helps.

 

[Bullschmidt]

Perhaps have a login page that asks the user for his username and
password. And whatever page that posts to (which could be the same page
for a self posting form) tests these fields against what is in the
database, sets the username and userlevel session variables accordingly,
and then redirects to the proper page - i.e. back to the login page if
the password is wrong (perhaps with a JavaScript popup saying wrong
username/password combination) or to the main menu page if the password
is correct:

Session("UserName") = objRS("UserName")
Session("UserLevel") = objRS("UserLevel")
Response.Redirect "mainmenu.asp"

Then you can use If Then's or Select Case on each page to control
whether a user is allowed to actually be there and whether particular
links of where a user can go actually show up.

If (Session("UserLevel") <> "Admin") And (Session("UserLevel") <>
"Regular") Then
Response.Redirect "login.asp"
End If

Best regards,
J. Paul Schmidt, Freelance ASP Web Consultant
http://www.Bullschmidt.com
ASP Design Tips, ASP Web Database Demo, Free ASP Bar Chart Tool...