G
Guest
We have an intranet application that is under Integrated security. So in
theory, anyone who has an Active Directory account in the company can access
my app.
So, to allow only certain users, I created a user table of domain accounts
and check these in the Application_AcquireRequestState event by comparing the
Identity.Name to names in my table. If OK, I set a session variable
HasAccess to "1" since sessions are available in this event.
Then, on subsequent page requests, this event checks the
Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
or not.
Is this approach valid or is there a better way? It seems to work OK,
except I have webservices on the site as well which, when requested, also
fires the Application_AcquireRequestState event BUT when I try to access the
Session variables, it returns a null object reference because it seems the
Session is never actually created by a webservice request.
theory, anyone who has an Active Directory account in the company can access
my app.
So, to allow only certain users, I created a user table of domain accounts
and check these in the Application_AcquireRequestState event by comparing the
Identity.Name to names in my table. If OK, I set a session variable
HasAccess to "1" since sessions are available in this event.
Then, on subsequent page requests, this event checks the
Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
or not.
Is this approach valid or is there a better way? It seems to work OK,
except I have webservices on the site as well which, when requested, also
fires the Application_AcquireRequestState event BUT when I try to access the
Session variables, it returns a null object reference because it seems the
Session is never actually created by a webservice request.