Hide Links Depending on Login

[Frank Bishop]

I'm using forms authentication with a database. I have an app that lets
users run online reports. Right now, depending on their login in the DB,
they get redirected to the pages that apply to them. I've noticed that
nothing stops them from browsing out to another users page once they log
in.

I'm thinking maybe I should just hide content instead. Is their any
simple examples of this or is my current way fixable?

Thanks,
Frank

 

[Q. John Chen]

Here is what I did:

In db, assign roles to different users.

In Login Form, save the user role in authentication cookie, like this:
userData = "Role1";
authTicket = new FormsAuthenticationTicket(1, userName,
DateTime.Now, DateTime.Now.AddHours(12), false, userData);
authCookie = new HttpCookie(FormsAuthentication.FormsCookieName);
authCookie.Value = FormsAuthentication.Encrypt(authTicket);
Response.Cookies.Add(authCookie);

In Global.asax, add AuthenticationRequest Handler, like this:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Context.Request.IsAuthenticated)
{
string[] roles;
FormsIdentity identity = (FormsIdentity)
Context.User.Identity;
// IN MY CASE, a user have multiple roles and I store
roles in one column seperated by comma
roles = identity.Ticket.UserData.Split(',');
for (int i= roles.GetLowerBound(0); i <=
roles.GetUpperBound(0); i++)
{
roles = roles.Trim();
}
Context.User = new GenericPrincipal(identity, roles);
}

Now, in the page you want dynamic link.
// do something like this:
if (User.IsInRole("Sales"))
// link.Visible = false;
else
// link.Visible = true;

Hope it help

John

 

[Guest]

Instead of using cookies on the client side, you could set a server session
variable at login and on those pages that are selective you would just check
for the correct value of the session variable. If it is set right, then
allow the page. This is the way I do that on my personal web site.

Evan R. Hicks