.net C#, what is the best practice for securing every method?

Question

I have a Web Project which has a Business Layer that handles some data operations. I would like to secure some or all methods by checking if there is an active not ended valid Session before executing the method.

I first thought using Attribute over class but I couldn't run it properly. Since the class is a usual class and not derived from System.Web.Page. the attribute class never runs when the required BL instance is invoked. Besides, some of the methods might not require a valid session, so the whole class might not need a complete security. And also, adding a line that checks the session in every beginning of the method doesn't sound very promising.

If you ask me why would I need to secure by method, I could explain like this:

• This is a web project
• Person might start out the from fill it but never got it save at that moment
• That screen waits about 30 mins lets say
• The session is already ended
• User is back in front of the computer, and clicks SAVE button, but process should NOT be completed

Save operation could easily be a DELETE operation or a SELECT.

Since there are many TYPEs of forms and stuff, I have BL.ItemManager, BL.VideoManager, BL.ServiceManager and so on... So, there are alot of save, delete and select methods inside of these classes.

Therefore, is there a neat way to secure some methods by checking the session before running the process

Answer 1

You may use aspect-oriented approach; PostSharp may be an option.

All you need to do is to create an atrribute using PostSharp to inject code before the method call to check whether the session is alive. Something like;

[SessionAlive]
public void SomeMethod()

Or you may just use Session_End method in the Global.asax file, or you may just use some javascript code to force redirection to login page.