Overriding Security at the Page Level

One approach is to perform such validation by overriding each page’s Page_Load() method. However you do not need to do this on a page by page basis. You can also override the Page_Load() method in the BaseApplicationPage class. BaseApplicationPage is the class from which all page classes are derived in your generated application.

In the example below, a signed in user with DeptID “1” is restricted from accessing EditOrdersPage.aspx and AddOrdersPage.aspx.

Step 2: Create an application with the Orders table in the Northwind database. Set the start page as ShowOrdersTablePage.aspx. Set the access permissions for ShowOrdersTablePage.aspx to “Grant access only to signed in users”.

Step 3: Add the following code in the SignIn_Control class of SignIn_Control.ascx.cs located in:

...\<Application Folder>\Shared\SignIn_Control.ascx.cs

C#:

public SignIn_Control() {     this.LoginSucceeded+= new LoginSucceededHandler(SignIn_Control_LoginSucceeded); }   private void SignIn_Control_LoginSucceeded(object sender, System.EventArgs e) {     string myId = this.SystemUtils.GetUserID();     string whereStr = "EmployeeID='" + myId +"'";     EmployeesRecord myrec = EmployeesTable.GetRecord(whereStr);     if(myrec != null)     {       System.Web.HttpContext.Current.Session["mySessionVar"] = myrec.DeptID;     } }

Visual Basic .NET, .NET Framework 1.1:

Private Sub Page_LoginSucceeded(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.LoginSucceeded       Dim myId As String = Me.SystemUtils.GetUserID     Dim whereStr As String = "EmployeeID='" & myId & "'"     Dim myrec As EmployeesRecord = EmployeesTable.GetRecord(whereStr)     If (Not myrec Is Nothing) Then       System.Web.HttpContext.Current.Session("mySessionVar") = myrec.DeptID     End If End Sub

Visual Basic .NET, .NET Framework 2.0

Private Sub Page_LoginSucceeded(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.LoginSucceeded     Dim myId As String = Me.SystemUtils.GetUserID     Dim whereStr As String = "EmployeeID='" & myId & "'"     Dim myrec As EmployeesRecord = EmployeesTable.GetRecord(whereStr)     If (Not myrec Is Nothing) Then       System.Web.HttpContext.Current.Session("mySessionVar") = myrec.DeptID     End If End Sub

Note: DeptID is a field (of type int ) added to the Employees table (Northwind) in the database. You can replace DeptID with any other field.

Step 3:

For .NET Framework 1.1, add the following code in the BaseApplicationPage class of BaseApplicationPage.cs located in:

...\<Application Folder>\Shared\BaseApplicationPage.cs

For .NET Framework 2.0, add the code in the BaseApplicationPage class of BaseApplicationPage.cs located in:

...\<Application Folder>\App_Code\Shared\BaseApplicationPage.cs

C#, .NET Framework 1.1:

Public BaseApplicationPage() {     this.Load+= new System.EventHandler(BaseApplicationPage_Load); }   private void BaseApplicationPage_Load(object sender, System.EventArgs e) {     if(System.Web.HttpContext.Current.Session["MySessionVar"]!= null)     {       int myDeptID = (int)System.Web.HttpContext.Current.Session["MySessionVar"];       if(myDeptID ==1)       {         if(this.Page.GetType().Name == "EditOrdersPage_aspx" || this.Page.         GetType().Name=="AddOrdersPage_aspx")         {           this.Page.Response.Redirect("../Orders/ShowOrdersTablePage.aspx");         }       }     } }

C#, .NET Framework 2.0:

public BaseApplicationPage() {     base.Load += new System.EventHandler(this.Page_Load);     this.Load += new System.EventHandler(BaseApplicationPage_Load); }   private void BaseApplicationPage_Load(object sender, System.EventArgs e) {     if (System.Web.HttpContext.Current.Session["MySessionVar"] != null)     {       int myDeptID = (int)System.Web.HttpContext.Current.Session["MySessionVar"];       if (myDeptID == 1)       {         if (this.Page.GetType().Name == "orders_editorderspage_aspx" ||           this.Page.GetType().Name == "orders_addorderspage_aspx")         {           this.Page.Response.Redirect("../Orders/ShowOrdersTablePage.aspx");         }       }     } }

Visual Basic .NET, .NET Framework 1.1:

Private Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Load     If (Not System.Web.HttpContext.Current.Session("MySessionVar") Is Nothing) Then       Dim myDeptID As Integer = CType(System.Web.HttpContext.Current.Session       ("MySessionVar"), Integer)       If (myDeptID = 1) Then         If (TypeOf (Page) Is EditOrdersPage OrElse TypeOf (Page) Is AddOrdersPage) Then           Me.Page.Response.Redirect("../Orders/ShowOrdersTablePage.aspx")         End If       End If     End If End Sub

Visual Basic .NET, .NET Framework 2.0:

Private Sub myPage_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.Load     If (Not System.Web.HttpContext.Current.Session("MySessionVar") Is Nothing) Then       Dim myDeptID As Integer = CType(System.Web.HttpContext.Current.Session       ("MySessionVar"), Integer)       If (myDeptID = 1) Then         If (Me.Page.GetType.Name = "orders_editorderspage_aspx" OrElse           Me.Page.GetType.Name = "orders_addorderspage_aspx") Then           Me.Page.Response.Redirect("../Orders/ShowOrdersTablePage.aspx")         End If       End If     End If End Sub

Pooja has experience developing Web applications using .NET technology. She started her career with PCS, a leading software services company headquartered in India and has been with Iron Speed since 2005.

Pooja holds an M.S. degree in Computer Application and a B.S. degree in Electrical engineering from Maharaja Sayajirao University in India.