I currently have a Web Application which is using it’s own “Permissions” table which contains the following columns:

• UserName – Windows UserName (Context.User.Identity.Name)
• DivisionID – Links to a Division Table
• RoleID – Comes from a custom Roles Table
• RegionID – Recently added field to divide my Application into Countries (Canada, USA, International)

When the User logs into the site, they choose which Region they want to enter and I need to give them access to those Regions based on if they have any permissions set for that specific RegionID. Upon selecting a Region, the RegionID is stored in Session and will be used for this permission check and defining how data is populated on the pages (I haven’t implemented the Session variable into all of the pages just yet so that can be changed if need be)

My initial thought would be to run my Permission Check on each page sending them to one of three destinations:

• Invalid Permission Page (false)
• Region Select Page – No Region selected in Session (RegionID = 0)
• The page they requested – If has a permission set for that Region

I’ve also looked into using the Application_AuthenticateRequest method within the Global.asax but I cannot use Session within this area and it seems to be hitting the Application_AuthenticateRequest much more than it should be.

With my current App, what would be the best way to authenticate each user with their corresponding Regions, based on their Permissions?