authorization and querystrings in ASP.NET

[TheEarthWillShake]

Hello I have a simple question on how to approach this.

Let's say we have 3 users, user11, user15, and user19.

user11 has 2 graphs he is allowed to look at, ?graph=1, 4
user 15 has ?graph=2, 3
and user19 has ?graph=5, 6.

This is of course gonna have to be dynamic as the user may get more projects in the future.

What would be the best way to make sure they are only allowed to see their graphs?

The username itself has been caught and is in a session variable.

 

[KB]

First I would store the user/graph assignments in a database. This can be done by creating users and roles using the builtin .Net authentication/authorization system or a custom solution you build yourself.

Then in the page load event of the page that accepts the graph query string, I would add a check against the database to make sure the user has rights to the graph. If they don't I would redirect them to a page that says no access allowed.

 

[TheEarthWillShake]

Would the .NET auth/authorization be the right thing to use?

From what I know (I haven't received it yet), somebody within the organization has a ASP.NET script that can catch the username when a user logs into our corporate site through a cookie.

About storing graphs.

All the data that is used to create the graphs are in a database so Graphs are created on the fly which might make things a bit different now that I think about it.