Hi! I have some question:
How to make a role based web application? Such as in forum sites, there is many user types, admin, moderator etc... is the roles of these user types stored in database or web.config? And when a user login to our site, how to control this users roles? In short I want to learn about authorization and authentication.
Thanks..
I've found that the built in Authorization schemes work great for simple situations where you only need to basically authenticate who can enter and who can leave, but fall short for custom situations, such as having special administrator accounts etc.
In those situations, I've created my own authentication scheme.
@Jonathan Holland
Where is your own authentication scheme? Can I see it?
@Mavera:
Basicly, its the concept of having your own users table in your own database, where you can manage permissions and store login information (Properly hashed of course). In the case of a multi-level permission scheme, I usually use two or more tables, for example:
TblUsers:
-----------------------------------------------------------------
| UserID (PK) | UserName | HashedPassword | PermissionLevel (FK)|
|---------------------------------------------------------------|
| 1 | BobTables| adfafs2312 | 2 |
-----------------------------------------------------------------
TblPermissions
-------------------------------------
| PermissionID (PK) | Description |
--------------------------------------
| 1 | User |
| 2 | SuperUser |
| 3 | Admin |
--------------------------------------
You can add 3rd table that contains a One-To-Many relationship between TblPermissions that exposes the actual abilities the user may be allowed to do.
Querying a user would be as simple as:
SELECT TblUser.Username, TblPermissions.Description
FROM TblUsers, TblPermissions
WHERE TblUser.UserID = @UserID
AND TblUser.PermissionLevel = TblPermission.PermissionID;
Create a custom class to encapsulate that information, and store it in ASP.NET session when they are logged in.