I have an ASP .NET web application (runs only on the Intranet) where I am using a simple user authorization model. I have a table called tblApplicationAccess which has TWO fields – UserID and AccessLevel.
For example,
UserID: John.Smith, Access Level: 2
(1 – General Access, 2 – Data Entry Access, 3 – Super User, 4 – Developer Access)
I am using the Session_Start event in global.asax to authorize the user. Here is the code,
protected void Session_Start(object sender, EventArgs e)
{
string strUserID = User.Identity.Name.Substring(5);
bool isAllowedToView = false;
// UtilityClass is a root level class with various methods that I use throughout the application.
// QUESTION: Could this be the problem? Since it is at root level (alongside all the pages), could it be the case that this resource isn't checked for user access?
UtilityClass.StrCurrentSessionID = this.Session.SessionID;
// Add a row to BLSC_tblSession
int nRowsReturned;
string strConnectionString = UtilityClass.GetConnectionString("My Application");
string strQueryStartSession = "INSERT INTO BLSC_tblSession " +
"(SessionID, UserID, SessionStatus, StartTime, EndTime) " +
"VALUES ('" + this.Session.SessionID + "', '" + User.Identity.Name.Substring(5) + "', 'Active', '" + DateTime.Now + "', '" + DateTime.Now.AddDays(1) + "')";
SqlConnection connStartSession = new SqlConnection(strConnectionString);
if (connStartSession != null)
{
try
{
connStartSession.Open();
SqlCommand sqlStartSession = new SqlCommand(strQueryStartSession, connStartSession);
nRowsReturned = sqlStartSession.ExecuteNonQuery();
if (nRowsReturned == 0)
throw new Exception("Session could not be started.");
else
{
// Authorize User
// Check if user has access to the application. If not, redirect to UnauthorizedAccess.aspx
// Check for access level 1.
// IMPORTANT: For Dev server change access level to 4.
isAllowedToView = UtilityClass.CheckUserAccess(strUserID, 1);
if (isAllowedToView == false)
{
UtilityClass.WriteToLog("Application Access Denied: UserID - " + strUserID, 1);
Response.Redirect("Some URL");
}
else
{
// Browser detection
string strBrowserName = Request.Browser.Browser;
if (strBrowserName != "IE")
{
UtilityClass.WriteToLog("Non-supported browser usage detected: UserID - " + strUserID + ", Browser - " + strBrowserName, 0);
Response.Redirect("Some other URL");
}
}
}
connStartSession.Close();
}
catch (SqlException SqlEx)
{
UtilityClass.HandleError("Global.asax", "Session_Start", SqlEx.Message);
}
catch (Exception Ex)
{
UtilityClass.HandleError("Global.asax", "Session_Start", Ex.Message);
}
finally
{
if (connStartSession != null)
connStartSession.Close();
}
}
}
UtilityClass.CheckUserAccess
public static bool CheckUserAccess(string UserID, int RequiredAccessLevel)
{
bool bReturn = false;
object TemporaryPlaceHolder;
int nUserAccessLevel = 0;
string strQueryCheckUserAccess = "SELECT AccessLevel " +
"FROM BLSC_tblApplicationAccess " +
"WHERE UserID = '" + UserID + "'";
string strConnectionString = GetConnectionString("My Application");
SqlConnection connCheckUserAccess = null;
try
{
if (strConnectionString != String.Empty)
{
connCheckUserAccess = new SqlConnection(strConnectionString);
connCheckUserAccess.Open();
if (connCheckUserAccess != null)
{
SqlCommand sqlCheckUserAccess = new SqlCommand(strQueryCheckUserAccess, connCheckUserAccess);
TemporaryPlaceHolder = sqlCheckUserAccess.ExecuteScalar();
if (TemporaryPlaceHolder != DBNull.Value && TemporaryPlaceHolder != null)
{
nUserAccessLevel = Convert.ToInt32(TemporaryPlaceHolder);
if (nUserAccessLevel >= RequiredAccessLevel)
bReturn = true;
else
bReturn = false;
}
else
bReturn = false;
}
connCheckUserAccess.Close();
}
}
catch (SqlException SqlEx)
{
HandleError("UtilityClass.cs", "CheckUserAccess", SqlEx.Message);
}
catch (Exception Ex)
{
HandleError("UtilityClass.cs", "CheckUserAccess", Ex.Message);
}
finally
{
if (connCheckUserAccess != null)
connCheckUserAccess.Close();
}
return bReturn;
}
The Problem:
My application does not load in the production environment.
The application runs using Windows Authentication. To be precise, we have DomnainName\ApplicationServer$ accessing SQL Server and not individual users.
My Question:
If I want to check application access using my current model and the global.asax events, where is the best place to put it? Am I doing something grossly wrong here? I need to write to the session table for logging events and cannot use role-based authentication that ASP .NET provides.
From my perspectives
SessionStartlooks as a good place to do such things.At first try to figure out why it does not load in production and see whether any unhandled exceptions are occur
protected void Application_Error(Object sender, EventArgs e)in the
global.asaxfile