Web page security

Question

I have and ASP.Net web site that uses the Membership Provider to manage users and roles. Only users within a role are allowed access to certain pages. Is the code below adequate to prevent user not in the role from accessing the page by simply typing in a URL that points to the page? Is there a better way to handle this?

Private Sub MessageWork_Init(sender As Object, e As EventArgs) Handles Me.Init
    If Not Roles.IsUserInRole("Practice") Then
        Response.Redirect("\Default.aspx")
        Exit Sub
    End If

End Sub

Answer 1

You approach works. However, you could set permissions in your root web.config, and also from sub directories web.config files.

For example, this configuration will allow anyone by default to all site; but only the users that belong to the role Practice are the ones that can enter privatefile.aspx. Keep in mind that allow and deny are applied in order of appearance:

<configuration>
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>

  <location path="privatefile.aspx">
    <system.web>
        <authorization>
            <allow roles="Practice" />
            <deny users="*" />
        </authorization>
    </system.web>
  </location>
</configuration>

More information at msdn.

Answer 2

I would recommend you to add the same set of logic to global.asax under application_beginrequest section. By holding a list of roles against the pages as a list in application cache. You will have a single point of control. If your code is in master page then its well and good. No need to change anything