I am trying unsuccessfully to restrict access to certain pages. Any ideas why?

Question

OK, I have scoured this site as well as others looking for answers to no avail.

Our new website comes with Administrative section that allows all members access to certain pages within this admin section.

However, only 3 are allowed access to all pages.

I am attempting to use the login page to get all users to the Administrative section with a menu of items of interest.

Our goal is that when users get to this section, and click on an item they are not authorized to view, they be redirected back to the welcome page.

A better option of course a message that says, "you are not authorized to view this page".

Is there a link or sample code I could modify to assist me with this task?

The code I have below isn't working.

It directs me to the Admin section just fine.Then on page_load event of every link, I would use session to attempt to restrict users.

Example: if Session("Admin") <> True then response.Redirect("home.aspx") End If

but isn't restricting anyone from viewing any of the links listed on the screen.

Sub CmdLogin_Click(ByVal Sender As Object, ByVal E As EventArgs) Handles CmdLogin.Click

    Dim StrUser As String, StrPass As String
    Dim BValid As Boolean
    Dim Conn As OleDbConnection
    Dim Cmd As OleDbCommand
    Dim rs As OleDbDataReader
    Dim StrSQL As String

    ' We will request all variables from our form with this.
    'Protect against SQL Injection
    StrUser = Replace(txtUser.Text, "'", "''", 1, -1, 1)
    StrPass = Replace(txtPass.Text, "'", "''", 1, -1, 1)

    ' This is our boolean variable for validation purposes set to true if valid user
    BValid = False

    ' Initialize Database Connection
    Conn = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;data source=" & Server.MapPath("App_Data\Members.mdb"))
    ' Create Select Command
    StrSQL = "SELECT Access_Level, myEmail,UserPassword FROM tblUsers WHERE myEmail='" & StrUser & "' AND UserPassword = '" & StrPass & "'"
    'Response.Write(StrSQL)
    'Response.End()
    Cmd = New OleDbCommand(StrSQL, Conn)

    Conn.Open()

    rs = Cmd.ExecuteReader()

    ' This acts like the (Not RecordSource.Eof) in ASP 3.0
    While rs.Read()
        If rs("Access_Level") = "1" Or rs("Access_Level") = "2" Then
            Session("Admin") = True
            Response.Redirect("admin.aspx")
            'Response.Write(StrPass)
            'Response.End()
            Dim redirectTo As String = Trim(Session("RedirectTo"))
            BValid = True
        Else
        End If
    End While

    ' Don't forget this
    Conn.Close()

    ' This handles all response per validation
    ' If validated it goes to admin.aspx page
    If BValid = True Then
        Session("userid") = StrUser
        Dim redirectTo As String = Trim(Session("RedirectTo"))
        If redirectTo <> "" Then
            Response.Redirect(redirectTo)
        Else  'They just got in without trying to go to a restricted page
            Response.Redirect("admin.aspx")
        End If
    ElseIf BValid = False Then
        lblError.Text = "Login failed: Please try again."
    End If
    End Sub

Any assistance is greatly appreciated.

Answer 1

You don't need the gymnastics you are trying to do here. Consider using membership, roles and buildin .net functionality to limit acces to specific folders/pages.

Please take a look at one of my posts how this can be done with ease:

How to restrict unlogged unauthorized users from viewing web pages