Creating a Secure Base Page class for ASP.NET Pages

Every web application developed using .NET as application framework needs authentication as well as authorization. ASP.NET provides 2 types of authentication providers for the web applications, namely Windows Authentication Provider and Forms Authentication Provider. Am not going to discuss these types and various modes of authentication. But am going to write about how one can implement a code to secure their web pages. And specially if these pages require some kind of user login is a mandatory.

First, you create any page that is supposed to be secured, say for instance AccountDetails.aspx. This page by default takes the inheritance from System.Web.UI.Page class. Now that you have created the page, it is the time for you to induce the security for this page. So add a new class to your application and name that as SecureBasePage.CS. This class is now inherited from System.Web.UI.Page class. The code would look like below

public class SecureBasePage : System.Web.UI.Page
{
    public SecureBasePage()
    {
    }
}

So you have created a class that is similar to that of System.Web.UI.Page class. Now, all you have to do is implement the custom security for this page and inherit your AccountDetails.aspx from this SecureBasePage.. For the implementation of custom security, I take the help of Session Object. And I check that whether the current session has a variable called as LoggedInUser and that is associated with some value. So I have started testing for this value at the constructor of SecureBasePage.

if (Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
 {
    Response.Redirect("LoginPage.aspx");
 }
While working in this I’ve encountered a huge problem and the problem in terms of the SessionObject. When this session object is used in the SecuredBasePage class, I got the following exception



Exception Details: System.Web.HttpException: Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the <configuration> \ <system.web> \ <httpModules> section in the application configuration.


I’ve tried all the possibilities like


1) Adding the enableSession at PageDirective


2) Adding session tag at http Modules as mentioned below

<httpModules>
    <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
 </httpModules>

3) Adding page directive for the page section with the below code

<pages enableSessionState="true" enableViewState="true" enableViewStateMac="true" validateRequest="false" />
4) And many more when binged for this error

Finally, I realized that at the time of the constructor of this class, the session is not created. So we have to implement the session validation in any other events of the System.Web.UI.Page class. So I’ve written that in OnInit event

protected override void OnInit(EventArgs e)
 {
      base.OnInit(e);
     if (Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
     {
            Response.Redirect("LoginPage.aspx");
     }
 }

But here also there raised a problem because the session is still not instantiated with the passed variable. So all you have to do is just change session from generic to CurrentContext

protected override void OnInit(EventArgs e)
 {
      base.OnInit(e);
      if (HttpContext.Current.Session[ApplicationConstants.SessionVariables.LoggedUserID] == null)
      {
           Response.Redirect("LoginPage.aspx");
      }
 }

That is solved and your AccountDetails page is now ready for inheritance from this SecureBasePage.CS..


What do you say ?

Comments

Post a Comment

Popular posts from this blog

Network Intrusion Detection using Supervised ML technique

Declaimer This is my initial version of the synopsis for PhD studies. There are plenty of things that i have to complete before i prepare the final version. Thus, this would be the alpha version. Due to the length of the blog post, will not be posting the entire draft. 1.Title of the thesis Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection 2.Introduction Intrusion Detection System, IDS, is a development which improve the network security and defending the information of the association. The IDS encourage the network chairman to recognize any malicious action on the network and alarms the executive to get the information made sure about by taking the appropriate activities against those attacks. An intrusion alludes to any unauthorized access or malicious usage of data assets. An intruder or an attacker is a true element that attempts to discover a way to increase unauthorized access to data, causes hurt or take part in different
Read more

Common mistakes by Interviewer

Now-a-days am conducting few interviews for our organization. While sitting in the other side of the table, I've visualized why most of the interviews fail with me. But when conducting these interviews, most of the candidates are attending with self confidence that they are suitable for the mentioned role and attend without preparation. When people do some real preparation, they tend to fail due to lack of awareness at the interviewer towards interviewing techniques. Having failed in many interviews, I've learned that the interviews fail because of the following... Reflection (or) Mirroring: The interviewer tends to see self within the candidate. The interviewer starts to compare self with the candidate and evaluate. This evaluation is totally personal. The yard stick for measuring the candidature is not generalized, but influenced.   Template (or) Checklist: The interviewer has a template of a questionnaire. The interviewer measures the candidate with respect to the list of st
Read more

Keep the system active, to avoid the auto lock

Most of the corporate offices will have a policy for screen locking. While working with a long running applications at background, like the automation scripts for testing the applications, it would be difficult to maintain the unlock state of the screen. Thus, we found a technique to keep the system active with a cheating technique. Below is the powershall scripts that keeps the system active ' I am clicking on NUMLOCK for every 5 seconds to keep the system awake Set objNetwork = CreateObject("Wscript.Network")'to get user name numOfHours=inputbox("Hi " & objNetwork.UserName & ", How many hours you want me to be awake? :->") 'time variable conatins the time in hours Set WshShell = WScript.CreateObject("WScript.Shell") 'Creating an object for clicking keys from keyboard numOfMilliSecs=numOfHours*3600*1000 'converting hours to milli seconds While numOfMilliSecs>0 'runs until tym becomes zero WshShell.Send
Read more