Protecting Editable ASP.NET pages when using querystring to pass pageId
Using an ASP.NET Membership provider...
Where is the best place to place code that protect pages with editable content from users who don't have access to it.
For example the url:
www.example.com/editPage.aspx?pageId=12
If the access people have to a particular page is related by their UniqueID (GUID) to a table storing which pages they can access.
tblUsers.UserId --> tblPagePermissions.PageID
To stop people being able to just change the pageId in the url, is it best to just do a check when loading the page to see if they have access?
Is there a better way than just looking up the current logged in users GUID in the database in Page_Load() and checking against a Permissions table.
This is more of a general question rather than related to something i'm working on at the moment.
Where's the best place to ut code that protects these pages, is a check at Page_Load() in editPage.aspx most suitable, or is there a more efficient way to do it?
I'm thinking more about wher开发者_JAVA百科e is the best place to actually check, regardless of whether i'm checking against the actual user, or the role they are in.
Page_Load(), HTTPModule, Somewhere else?
Not using the QueryString would be more secure i'm sure, but assume it's what's being used.
i usually do it by creating a pagebase class and making all secure pags inherit from it. Then, i handle page_load in pagebase and perform check there.
Regardless of the method(s) you use, you always have to validate the input you get from the client.
You would need to check this every time they access the page.
精彩评论