Can’t help it. Looking at someone else’s code is just plain fun. Especially when it’s not that well architectured. It seems that I keep running into nice fragments of how not to code. Well, to be honest, my colleagues tend to help out, and send me all kinds of code examples.
Have a look at the tiny fragment below.
If HttpContext.Current.Session("UserID") <> "obama" And HttpContext.Current.Session("UserID") <> "h.clinton" Then Response.Redirect("../../default.aspx")
Brilliant, isn’t. Of course I changed the names, as you might expect. This is a cruel example of authorisation. At first, the developers (being the two persons who do get authorized) will probably have thought: this is ok for now, we’ll refactor it later before the application gets deployed. Unfortunately, they forgot. This code was found in a web application in production. Moreover, it had thousands of users. Now imagine the trouble the people administrating the application will have. “Why do I have to login as obama? Who is he anyway?”
There’s another explanation. Although less desired. It’s that the developers just didn’t know any better that to write the user name in a session variable named
UserID. Let’s hope this scenario is not the case. It would scare me to see that this could well be exemplary for the quality of the code.