Instead of using Session Variables, you can use custom membership in mvc using Forms Authentication. And you can use the attribute '[Authorize(Roles = "Admin")] on controller or action methods in MVC. If user was not an admin then it automatically redirects to login page.
Custom Membership
FormsAuthentication.SetAuthCookie(user.Id + "." + role.Name, false);
protected void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs e)
{
if (FormsAuthentication.CookiesSupported == true)
{
if (Request.Cookies[FormsAuthentication.FormsCookieName] != null)
{
string[] text=(FormsAuthentication.Decrypt(
Request.Cookies[FormsAuthentication.FormsCookieName].Value).Name).Split('.');
string userId = text[0];
string role = text[1];
e.User = new System.Security.Principal.GenericPrincipal(new System.Security.Principal.GenericIdentity(userId, "Forms"), role.Split(';'));
}
}
}
Usage
[Authorize(Roles = "Admin")]
public class AdminController : Controller
{
}