What is role-based security, and why should I use it?

What it is...
Role-based security allows you to partition your web site according to the "role" of the user. That means that once a user is logged-in, the determination as to whether or not access to a resource is granted is based on the roles a user plays--such as "administrator", or "premium subscriber", or "guest", for example.

Why you should use it...
It is much more flexible and powerful than simply using basic authentication, whereby any user that can "log in" has access to your entire site -- unless you specify users in a config file, which can be very tedious and not very maintainable. Using roles, changing the config file for the purpose of changing security settings occurs less often.

What's wrong with the intrinsic support for this in the .NET framework?

The basics for role-based security can be found in the .NET framework. However, implementing it in your ASP.NET application can be somewhat painful.

Because of the stateless nature of web applications, you are required to set the roles for the user upon each and every request to your web site. Not just once--like when the user first logs in. Given this requirement, you have three primary options:

  • Rebuild the roles for each request by querying a database--obviously not very efficient
  • Use FormsAuthenticationTicket and store the roles in a cookie
  • Store the roles in a cache on the server, reducing both bandwidth use and security risks

In most cases, the last option is the best choice. And the module provided on this site eliminates the hassles of implementing this style of role-based security.

Every application needs logging to some degree, whether it's for recording user actions,
notifying support of application errors, or debugging applications. Do yourself a favor and
take a look at this
logging framework.

© Copyright 2002 - Lorne Brinkman - All Rights Reserved