Password Protecting Resources | ASP.NET MVC

Question

I am working on an ASP.NET MVC app, and I have some views which I want to password protect. Not in a username/password forms auth type of way. When a user tries to go to one of these protected pages, I want them to have to put in a password. I came up with a way to do this, I just want to get some validation that it is a good approach.

When a user comes to the protected page, I'm checking a Dictionary stored in Session, if the id of the page is in there and marked as unlocked, they can view the page. If it is not the will be directed to an Unlock page, where they will have to enter the password. Once they enter the valid password, it'll update the Dictionary and they will be able to view the page.

Is the a valid approach or does anyone have a better idea.

Thanks

Answer 1

That essentially sounds like a standard username/password forms authentication where the username is hardcoded/shared amongst all users. Some thoughts:

1. Are you going to have different passwords for the different locked areas? If so this sounds a like like different roles for a user.
2. What is your reasoning for not using a standards based username/password solution (and roles possibly to define what areas are unlocked)?
3. Assuming this is a public facing site, by only requiring a password you've given a hacker a much easier target since they no longer have to guess a username/password combo.
4. Do you need any kind of audit trails? A single password for many people across an area makes this potentially more complicated to implement.
5. Maintenance - This isn't a standard solution so someone else maintaining this will have to figure out what you did and why.

I'm sure there are some other key points, but nothing else is coming to mind at the moment.