Restrict users using Application_AcquireRequestState?

Discussion in 'ASP .Net' started by =?Utf-8?B?RGF2ZQ==?=, Mar 2, 2005.

  1. We have an intranet application that is under Integrated security. So in
    theory, anyone who has an Active Directory account in the company can access
    my app.

    So, to allow only certain users, I created a user table of domain accounts
    and check these in the Application_AcquireRequestState event by comparing the
    Identity.Name to names in my table. If OK, I set a session variable
    HasAccess to "1" since sessions are available in this event.

    Then, on subsequent page requests, this event checks the
    Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
    or not.

    Is this approach valid or is there a better way? It seems to work OK,
    except I have webservices on the site as well which, when requested, also
    fires the Application_AcquireRequestState event BUT when I try to access the
    Session variables, it returns a null object reference because it seems the
    Session is never actually created by a webservice request.
     
    =?Utf-8?B?RGF2ZQ==?=, Mar 2, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?RGF2ZQ==?=

    Scott Allen Guest

    Hi Dave:

    Session state is disabled by default for asmx, but you can change the
    default.

    Another idea is to organize authorized users into an Active Directory
    group in your domain. Then you add an <authorization> section to
    web.config and restrict the app to just members of the group. No extra
    code required!

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Wed, 2 Mar 2005 09:59:06 -0800, "Dave"
    <> wrote:

    >We have an intranet application that is under Integrated security. So in
    >theory, anyone who has an Active Directory account in the company can access
    >my app.
    >
    >So, to allow only certain users, I created a user table of domain accounts
    >and check these in the Application_AcquireRequestState event by comparing the
    >Identity.Name to names in my table. If OK, I set a session variable
    >HasAccess to "1" since sessions are available in this event.
    >
    >Then, on subsequent page requests, this event checks the
    >Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
    >or not.
    >
    >Is this approach valid or is there a better way? It seems to work OK,
    >except I have webservices on the site as well which, when requested, also
    >fires the Application_AcquireRequestState event BUT when I try to access the
    >Session variables, it returns a null object reference because it seems the
    >Session is never actually created by a webservice request.
    >
     
    Scott Allen, Mar 2, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Piers Chivers
    Replies:
    0
    Views:
    492
    Piers Chivers
    Feb 18, 2004
  2. =?Utf-8?B?ZGVuIDIwMDU=?=

    Restrict '\' character using RegularExpression Validator..

    =?Utf-8?B?ZGVuIDIwMDU=?=, May 9, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    964
    Ray Booysen
    May 9, 2006
  3. Replies:
    0
    Views:
    746
  4. Replies:
    6
    Views:
    374
    Army1987
    Sep 24, 2007
  5. Gerhard

    restrict number of users

    Gerhard, Jul 7, 2009, in forum: ASP .Net
    Replies:
    11
    Views:
    621
    Gregory A. Beamer
    Jul 8, 2009
Loading...

Share This Page