Reputation: 6862
Handling confidentiality in application
I have an asp.net mvc3 application where each logged users may have access to some specific data.
For exemple, "user A" have acces to "Client 1" but not "Client 2", while "user B" have access to "Client 2" but not "Client 1".
If user a acces to http://myApp/Clients/2, we will throw a custom exception, say ConfidentialityException.
From that, we can trap it in global.asax Application_Error. But from that point, I wonder what would be the best practice :
- Returning an error page with http 403 code (how ?)
- Just returning an error page.
- Let it crash.
- other suggestion ?
My preffered solition is the first one (error page with 401), but I don't see how to set the http code from Application_Error.
Edit
I changed 401 status code to 403, since it's not an authentification error, but confidentiality. 403 seems more appropriate according to w3c.
Upvotes: 0
Views: 209
Answers (1)
Reputation: 41757
To set the status code you can use the following:
HttpContextBase.Response.StatusCode = 401;
However, if you're using MVC you can simply set the result to be an HttpUnauthorizedResult, which will set the http status code for you.
Upvotes: 2
Related Questions
- ASP .NET MVC sensitive data
- Storing Sensitive Data in Session
- How to keep private data separate in an open source ASP.NET MVC application
- Handling record/entity level security in an ASP.NET MVC application
- Data level security in MVC 3
- Security for ASP.NET application
- ASP.NET MVC application security
- Secure webApplication
- Security Measures For Applications Which Deal With Users Private Information
- Security in my mvc app