ASP .NET Role Based Authentication vs Page Based (Page Class) Access Restrictions

Question

Currently, we have a site where almost all the pages fall into some page class that's a subclass System.Web.UI.Page. Generally the subclasses control styling -- headers, footers, etc. -- things displayed on that class of page that we want for all classes.

For one particular class, we check some session variables to see if the user has access to that particular page. If not, they get redirected off and told they don't have access.

I've since implemented a custom role provider and am in the process of updating all my web.config files from to .

The question has arisen: Why not implement the page-based restrictions in the page class instead of implementing a role-provider methodology.

Honestly, when I first considered this topic, it seemed to me there was a clash between and having page classes do the authorization. However, I'm having a difficult time coming up with reasons why page-class based authorization would be a bad idea right now.

If you're able to understand what I'm talking about where we set access (authorization) info during the login process and then use this (session based) information to "authorize" a user to access a page based on the page-class vs using the built-in ASP .NET role provider methodology, I'd appreciate your thoughts on this matter. Especially if you have experience in this area.

Thanks.

Answer 1

Well both ways are possible, IMHO, it comes down to whether you want to use the ASP.NET authorization scheme (allows, denies in the web.config) or code it into the page.

Personally I prefer the configuration approach, as it is more flexible and allows for the pages to inherit from another page class, or use master pages to provide for a common look and feel.