0

I am making a website in asp.net. In my application, I divided the users into two categories. One is normal users and other is admin users. Admin users will be probably one or maximum two users. I decided to create separate two database users for admin users rather than table users in SQL server. So I have three database users two for admin and one for normal users

Case 1: Scenario is that if normal user want to login. System will connect to normal database user in SQL SERVER and will look the credentials in users table. If it found the user then session will generate and normal user will redirect to welcome page.

Case 2: For admin users I have direct database user. I am not storing and looking admin users in users table. Admin user can be dynamic. I don’t want to save database user in connection string in web.config file for admin. Connection always be runtime but the problem is how to handle database users credentials because I don’t want to store database user credentials in cookies and session.

Suppose if admin usr 1 login through login page. My system will check either that database user exist in SQL SERVER or not. If exist system will redirect to welcome page and I want my whole application remember admin usr 1 is logged in.

How to handle this scenario in asp.net.

user3671390
  • 69
  • 1
  • 2
  • 13

2 Answers2

1

I would look at implementing ASP.NET Identity rather than rolling your own security implementation. Far better to use a tried and tested methodology and, having just recently implemented this in a project, it is fairly straight-forward if you read through some of the tutorials on the web.

All users should authenticate through a standard login page regardless of their permissions. Once authenticated you should control their access to your application via their Roles, which you can create and assign depending on whether or not the user is a "normal" user or an "admin" user.

You mention about Admin users having a different SQL account with which to connect to the database, I would question whether this is necessary as you should be able to control the actions that each user can perform by the security applied to each user that logs in to your ASP.NET application.

connectedsoftware
  • 6,987
  • 3
  • 28
  • 43
  • this is also for security of database also.because normal user have limited privileges and admin users have maximum previlliges. – user3671390 Oct 25 '16 at 07:45
  • @user3671390 Once authenticated - you can use a different connection string for each type of user if required - simply have two connection strings in your web.config and use each depending on the level of the user that is logged in. – connectedsoftware Oct 25 '16 at 07:47
  • but the problem is that in connection string I must have to store database user information which i don't want.I want my admin user always be independent. – user3671390 Oct 25 '16 at 08:13
  • @user3671390 What do you mean by independent - you mean a unique SQL account for each admin? – connectedsoftware Oct 25 '16 at 08:16
0

I would recommend to not have different databases for your roles, because it can mess up the business logic. Instead make one database with a user-table and then have a role-table that connects through a FK.

därko
  • 19
  • 9