Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / November 2004

Tip: Looking for answers? Try searching our database.

Web Admin privileges

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Shabam - 23 Nov 2004 12:04 GMT
I have a multi-user web application that allows users to log in and use the
features.

As admin I need to have full access to these accounts and all data
contained.  It's not enough that I'm able to browse and delete accounts.

My question is, to do this, for every feature on the system, would seem to
be an inefficient way to go about it.  So what I'm thinking are two
possibilities:

1) Have admin as super user, so that when he browses a user's page, he has
full permission.  However this seems high risk?

2) When admin clicks on a user's page from his admin control panel, the
system changes the admin to that user, just as though the user logged in to
his own page.  This would seem a little better since I wouldn't have to code
in an extra admin check step on every user page, and also be a little more
secure since it's just the user logging in as himself.  However, the problem
here becomes, the user password is encrypted in the database.  How would I
go about passing this info to the admin for him to log in?  I do believe it
can be decrypted though, but I'm not sure (I didn't write the application).

Any suggestions on how to go about this?
Reply to this Message
Nicole Calinoiu - 25 Nov 2004 18:46 GMT
>I have a multi-user web application that allows users to log in and use the
> features.
[quoted text clipped - 8 lines]
> 1) Have admin as super user, so that when he browses a user's page, he has
> full permission.  However this seems high risk?

Why?  If you already need to implement a check for non-admins, just build
the admin bypass into the same verification method.

> 2) When admin clicks on a user's page from his admin control panel, the
> system changes the admin to that user, just as though the user logged in
[quoted text clipped - 9 lines]
> can be decrypted though, but I'm not sure (I didn't write the
> application).

Not a good idea.  Amongst other potential problems, you lose auditability.
If it ever becomes necessary to track which user performed any given action,
you won't be able to distinguish admin actions from those of the other
users.

> Any suggestions on how to go about this?

As above, implement a single "is the user allowed to run this page?" method
that only permits execution if the current user is either an admin or the
requested account user.  To make implementation in each page simpler, you
might want to consider inheriting from a common base page that runs this
verification (assuming this is ASP.NET) .
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.