CODEWITHSUNDEEP
asp.net
Wild Goat
Wild Goat

Reputation: 3579

ASP.NET Impersonation design

This is my ASP.NET authentication operation.

    private void LoginButton_Click(Object sender,
                       EventArgs e)
    {
        string userName = txtUserName.Value;
        string password = txtUserPass.Value;

        if (ValidateUser(txtUserName.Value, txtUserPass.Value))
        {
            FormsAuthenticationTicket tkt;
            string cookiestr;
            HttpCookie ck;
            tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now,
                                                DateTime.Now.AddMinutes(3), chkPersistCookie.Checked,
                                                userName + "@ticket");
            cookiestr = FormsAuthentication.Encrypt(tkt);
            ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
            if (chkPersistCookie.Checked)
                ck.Expires = tkt.Expiration;
            ck.Path = FormsAuthentication.FormsCookiePath;
            Response.Cookies.Add(ck);

            string strRedirect;
            strRedirect = Request["ReturnUrl"];
            if (strRedirect == null)
                strRedirect = "MyAccount.aspx";
            Response.Redirect(strRedirect, true);
        }
        else
            Response.Redirect("logon.aspx", true);

    }

I have User table in my db where all credentials are saved. Using ValidateUser method I am doing credentials validation. Also I have three type of users: Member, Moderator and Administrator. Each type of members has unique functionality. Lets say I have A, B and C T-SQL stored inside in my db.

What should I to to let for:

Member execute only A query.

Moderator execute A and B.

Administrator execute A,B and C.

Of course, I can manage execution from Web app, but I am not sure how safe it is. Technically I can execute similar query outside of App, which gives access to all db data. I want somehow combine Web App login and Db access as well.

Thanks!

Upvotes: 0

Views: 116

Answers (2)

M4V3R1CK
M4V3R1CK

Reputation: 771

http://msdn.microsoft.com/en-us/library/ff647396.aspx

Upvotes: 1

M4V3R1CK
M4V3R1CK

Reputation: 771

If these queries are going to come from the web app, I think you would want to manage the code side that invokes the procedures.. you could maintain a list of urls in your database, assign roles, and give these roles access to specific urls. These urls would dictate what queries a user could execute...

then in your code you could assign custom attributes to limit access to them....

Upvotes: 1

Related Questions