Restrict users using Application_AcquireRequestState?

G

Guest

We have an intranet application that is under Integrated security. So in
theory, anyone who has an Active Directory account in the company can access
my app.

So, to allow only certain users, I created a user table of domain accounts
and check these in the Application_AcquireRequestState event by comparing the
Identity.Name to names in my table. If OK, I set a session variable
HasAccess to "1" since sessions are available in this event.

Then, on subsequent page requests, this event checks the
Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
or not.

Is this approach valid or is there a better way? It seems to work OK,
except I have webservices on the site as well which, when requested, also
fires the Application_AcquireRequestState event BUT when I try to access the
Session variables, it returns a null object reference because it seems the
Session is never actually created by a webservice request.
 
S

Scott Allen

Hi Dave:

Session state is disabled by default for asmx, but you can change the
default.

Another idea is to organize authorized users into an Active Directory
group in your domain. Then you add an <authorization> section to
web.config and restrict the app to just members of the group. No extra
code required!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top