"Turn" analysis and summary of permission settings for B/S Architecture application

Source: Internet
Author: User

From: http://www.cnblogs.com/zhouxunyu/p/3790122.html

Analysis: Different users who log on to the system give different permissions to the operation, and the user exists in the database, the field that identifies the user's permissions
Also saved in the user table in the database.

Problem: The field that identifies the user right is removed from the database to save it in the running program.


Scenario One: Create a user class that encapsulates the information queried from the user table into the class, and the user instantiates the class to get the permission field.

Analysis: The solution is feasible, the disadvantage is: when the system deployment after the release of online access to a large number of users, each instantiation of the user class will be many, the server load will be very large.

If this solution is applied to C/s architecture, I personally think that is the most convenient and the best.

Scenario Two: The information that is queried from the user table, especially the field information that identifies the user's permissions, is saved to the session.

Analysis: The solution depends on the feasibility. The disadvantage is: the session has a timeout mechanism, one but the session timeout this operation will error. Session Timeout Solution: session.time=12000; or configure in configuration file

1 <Configuration>2 3 <system.web>4 5 <sessionstate6 7 Mode= "InProc"8 9 cookieless= "true"Ten  One Timeout= "+" /> A  - </system.web> -  the </Configuration>

If the session never times out, then on the page virtual a no content ifram or buttons, etc., timed to refresh it, the session will never time out. However, it is best not to do that, crawl timeouts, and let users log back in best.


Scenario Three: The information that is queried from the user table, especially the field information that identifies the user's permissions, is saved to the cookie.

Analysis: This solution seems to work as well. The disadvantage is that there are outdated mechanisms for cookies, and there is a cookie conflict if the same computer logs on to multiple users.

Solve the cookie conflict problem: The use of key-value pairs, the ID as a key, the ID in the database is always unique, so it is easy to solve the cookie conflict problem, but in the permission settings is best not cookie,cookie there is a risk, the entire application is not secure. If the user changes the local cookie value then the permission corresponds to the change, it is not recommended.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.