Allow folder access only to admin user

Question

I'm new to ASPX and VB.NET and i'm trying to create two different content for two kinds of users.

Actually all pages for a normal user are ready and now i'm trying to make the Admin part i've created a folder Administrator in which there is a index.aspx that only user that logged and have as role in the database "ADMIN" should access it.

The loggin part is done as the following:

Protected Sub loginBtn_Click(sender As Object, e As EventArgs)
    If UserExists(username.Value, password.Value) Then
        FormsAuthentication.SetAuthCookie(username.Value, False)
        If username.Value = "gab" Then
            Page.Response.Redirect("\Administrator\Index.aspx", True)
        Else
            Page.Response.Redirect("Default.aspx", True)
        End If

    Else
        username.Value = ""
        ClientScript.RegisterStartupScript(Me.[GetType](), "alert", "openModal();", True)
    End If

End Sub

For now i just check if the username is "gab" but lately i'd a function that SELECT the role from the database.

The issue is that if a normal user log and in the path just write \Administrator\index.aspx he can access that folder and even if an administrator change path to "Default.aspx" he can access content of a normal user

I would do that a normal user could see just his aspx pages and the admin just pages in Administrator folder but i need some suggestions on how to do it.

Answer 1

There are a number of ways you can do it, including many not listed here.
You may consider checking the permissions of each user on page load and redirecting them when necessary. This does add mean that you are hitting the database again on each page load, so you'll need to take that into consideration.
You may also try using client side storage, like a cookie, and running the checks client side. You'll want to be careful with what you store on the client side as it may open up security vulnerabilities.
If I knew more about your project, I may be able to give you more specifics.