0

I'm new to ASP.NET and I am designing a warehouse portal. It has three users: admin, warehouse staff and customer service. I designed an adduser.aspx page where I add users and assign roles. I use dropdown list to select the type of user and then store the value in database. After creating all users I set my login page as default and after validation, redirect them to specific pages. This is how I do it:

        if (displayusertype.Equals("Admin"))
            {
               Session["user"] = loginusername.Text;
               Response.Redirect("Admin_Default.aspx");
            }

        if (displayusertype.Equals("Warehouse staff"))
            {
               Session["user"] = loginusername.Text;
               Response.Redirect("Warehousestaff_Default.aspx");
            }
        if (displayusertype.Equals("Customer service"))
            {
               Session["user"] = loginusername.Text;
               Response.Redirect("Customerservice_Default.aspx");
            }

If I go to the Admin_Default.aspx directly from browser I can access it. But I want only the admins to access this page. Similarly for warehouse staff and customer representatives. I only want the page which is redirect to, after a login and not simply through a browser. How can i achieve it?

MAK
  • 1,250
  • 21
  • 50
  • 2
    Always perform the authorization check on the page being requested, not on the page making the request. Never assume that users can't forge their own requests. – David May 20 '15 at 13:21
  • @David My navigation is as follows: Default page (login page - after authorization) ---> default admin page / default warehouse user page/ default customer service page. From default admin page I'm redirecting admin to add user page. But the add user page can be accessed directly. How should I do the authorization there? – MAK May 20 '15 at 13:30
  • Don't use [stringly typed](http://c2.com/cgi/wiki?StringlyTyped) variables. – Der Kommissar May 20 '15 at 13:33
  • any suggestions on what I should look into @EBrown – MAK May 20 '15 at 13:51
  • @user1377504: Well, how do you know if a user is a specific type of user? That's the authorization check you would perform. – David May 20 '15 at 13:52
  • You should not be using `displayusertype.Equals()`. First, `strings` provide a `==` operator (`displayusertype == "Admin"` etc.). (This isn't Java.) Second, you should use a more meaningful datatype. Possibly an `enumeration` or similar to indicate what `type` the user is. – Der Kommissar May 20 '15 at 13:53
  • @EBrown: `string.Equals()` can be *very* useful if one wants to provide different equality comparison rules. Even with default equality comparison, there's no compelling reason not to use it. – David May 20 '15 at 13:54
  • @David Though that is true (provided you use one of the overloads that takes a `StringComparison` argument) there's no compelling reason to use it *either*. See this [MSDN](http://blogs.msdn.com/b/csharpfaq/archive/2004/03/29/when-should-i-use-and-when-should-i-use-equals.aspx) article. `My rule of thumb is that for almost all reference types, use Equals when you want to test equality rather than reference identity. The exception is for strings - comparing strings with == does make things an awful lot simpler and more readable` It's largely a *best-practices* argument. – Der Kommissar May 20 '15 at 13:59
  • Can you use [ASP.net authorization](https://msdn.microsoft.com/en-us/library/wce3kxhd(v=vs.140).aspx)? That will likely be more secure and simpler – Neil Smithline May 20 '15 at 15:33

0 Answers0