Global.asax beginner question

[^MisterJingo^]

Hi all,

I'm attempting to create a login/role system for an application i'm
building. My idea is to store an instance of a 'webapp' object in
global.asax. This object stores login (username, ID) and role
information (user, admin etc) which is set on a successful login.
Would it be ok to put this object in the global.asax file and initiate
it on Session_start?
I'm unsure of any potential security implications of doing this.


thanks

 

[Alex Li]

Is this "webapp" object a per user object? If so, initiating it from
the session_start seems to be the right place.

Alex

 

[^MisterJingo^]

Yes.
I figured having a per user/session object which, when the user logs
in, will contain their permissions, ID (for db manipulation) and a few
other needed bits of information.
Each page will contain an object specifying the access level needed to
view that page, with a redirect for failed access.

Does this sound like an ok way of doing things?

I asked about the global.asax as I wanted to make sure storing login
information in an object from there was secure ie no-one could
manipulate it to login without credentials.

 

[Guest]

One way to do it with forms authentication is set up a user and password
table with role information. You can then use the role settings to allow for
specific page access.

 

[clintonG]

None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.

 

[^MisterJingo^]

None of this is needed or even possibly desireable with ASP.NET 2.0
Membership, Roles and Profiles.

I can't use membership, roles and profiles as I am using MySQL. I am
not willing to pay out hundreds of pounds a month to host on MS-SQL for
a personal project when I could write what is needed and use MySQL for
free.
I have tried some ODBC membership/role providers but they don't work
or are very buggy.
So out of curiosity, why isn't it desireable?

 

[Guest]

Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************

 

[^MisterJingo^]

Have not worked with asp.net 2.0 but heard it automates all of this for you
or makes it very easy to set up. I used roles, password and user tables with
MySQL and asp.net 1.1. Seems to work fine as we only have a few hundred
users.

table 1.

*************************************
* user id * user name * password * role id*
*************************************
table2
*******************************
* role id * role level *
*******************************

Hi Paul,

This is what I've done. On login auth, a session object stores the role
and it is checked against a page object, redirecting if the user has
not got the needed role.
The objects which create this functionality in .net2.0 are catered to
MS-SQL. Its supposedly possible to inherit from the base of these
objects to write your own version for your own DB. But it seems like a
LOT of work, and the ones i've downloaded from the net (created by
other users for MySQL) don't seem to work correctly.
Also, compared to the objects I can create to enable this
functionality and secure the site, the pre-rolled .net 2.0 ones seem
pretty large.

A few posts up clintonG says writing your own isn't desirable and i'm
curious why - I don't want to inadvertantly leave security holes in the
site.

 

[Guest]

ok thanks for the additional information. I am wondering why as well,
hopefully clintonG will respond--
Paul G
Software engineer.