Hiding Controls as a Form of Web Security, Suggestions for Better?

Question

I am working on a website (developed in ASP.NET with C#) that was passed on to me. As I'm working through the site, I notice much of the site has this type of code in it:

EmailLabel.Visible = false;
WhateverButton.Visible = false;
AnotherControl.Visible = false;
...

This is all typically done in the code-behind of the site (in the Page_Load method). Essentially, this was put in place to prevent a non-logged in user from accessing components (the rule for the site is that a non-logged in user shouldn't be able to see any part of the site until they log in). The way above works...but it seems rather expensive to have to always check if the user is logged in and then flip to the correct status for all those components.

Is there a different way that this problem could be approached. Just from thinking about it/research, I thought perhaps there would be a way that I could do a redirect back to the home page if a user is not logged in. Even further, I could extend a base page which would do this for any page that extends the base page. However, my knowledge in this area is limited, so my suggestion may not work.

What can SO suggest? Anything better? Is what is there good enough?

Answer 1

We do this a lot at my work.

The way we accomplish this is by creating a BasePage class that inherits from System.Web.UI.Page. Then you override OnInit, call the base.OnInit, and add code to check for a logged in user. If the user is not logged in, Redirect them to a login page (which would not inherit from BasePage.)

Then, on every page that needs to be protected, just change the page to inherit from BasePage.

And contrary to what womp says above, if you write Response.End(); after the redirect, it is much faster that even continue processing the rest of the page!

Hope that helps.