Re: Persisting user login credentials across pages

From: Siobhan (Siobhan_at_discussions.microsoft.com)
Date: 02/21/05 

Date: Mon, 21 Feb 2005 00:55:03 -0800

Hi
The application we are writing is a database application in which each user
must have a unique SQL Server login to allow for auditing of certain
information. Most of the functions of the system are database driven so
database access is unavoidable. At this stage it won't be a large system but
I am just trying to get a handle of this for future developments.
Can I just ask about connection pooling, if each user has a different
username and password does this make the connection string different and
therefore each login won't use the pool?
Thanks
Siobhan

"Joe Fallon" wrote:

> Siobhan,
> In a large system the DB tends to be the bottleneck so you want to access it
> only when truly needed.
> You can always add more web servers to handle the load. Scaling the DB is
> quite a bit trickier.
>
> So you need to use Forms Authentication to authenticate a given UID and PWD
> combination. These values can be in your DB and you need to look them up and
> verify that the typped in values match the ones in the DB. (Note that the
> connection string for your DB has nothing to do with this. You use those
> credentials to make the connection and take advantage of the connection
> pool. You do NOT vary the conenct string with each user as this is a true
> scalabilit killer.)
>
> Sample code requires you to have a login method on your Principal class
> (which calls your Identity class).
>
> mUser.Login(txtUserId.Text, txtPassword.Text)
> mUser = CType(Thread.CurrentPrincipal, myUser)
>
> If mUser.Identity.IsAuthenticated = True Then
> HttpContext.Current.User = mUser
> Session("myPrincipal") = mUser
> Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUserId.Text,
> False)
> Else
> 'do something else
> End If
>
>
> I use code like this in my Global.asax file to re-use the principal value on
> each hit:
>
> Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As
> System.EventArgs) Handles MyBase.AcquireRequestState
>
> If Not Session("myPrincipal") Is Nothing Then
> Thread.CurrentPrincipal = DirectCast(Session("myPrincipal"), myUser)
> HttpContext.Current.User =DirectCast(Session("myPrincipal"), myUser)
> Else
> If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
> Web.Security.FormsAuthentication.SignOut()
> Server.Transfer(Request.ApplicationPath + "/Login.aspx")
> End If
> End If
>
> End Sub
>
> Rocky Lhotka explains these concepts very well in his book on Business
> Objects.
> http://www.lhotka.net/ArticleIndex.aspx?area=CSLA%20.NET
> --
> Joe Fallon
>
>
>
>
> "Siobhan" <Siobhan@discussions.microsoft.com> wrote in message
> news:80905982-FCCE-4917-878A-7F0BFFC88135@microsoft.com...
> > Hi
> > Yes this is what we have done before but we are passing the data using a
> > session variable and I had just been worried about the implications of
> > this.
> > I am not sure how Forms authentication would work - the sample using
> > passwords on the site you recommended had passwords stored in the config
> > file
> > - we are using SQL Server authentication to authenticate users. Or maybe
> > I
> > am getting confused as to what you meant. I think I understand the
> > concept
> > of setting the authorisation cookie etc, but I didn't know if this could
> > be
> > used to store the password that they entered on the login page, or if it
> > could, would it be safe?
> > Thanks
> > Siobhan
> >
> > "Wilco Bauwer" wrote:
> >
> >> Sorry, I meant Sparky Arbuckle.
> >>
> >> Siohban: you can place those textboxes in a usercontrol, such as
> >> Login.ascx. You can place this login control on a login page. If you
> >> lookup how forms authentication works, it should be fairly
> >> straightforward to figure out how to get information based on a user's
> >> ID. Such a user ID can be persisted across pages (using sessions).
> >>
> >>
>
>
>

Relevant Pages

  • Re: Login Failed Error: Frontpage 2000 to SQL Server 2000
    ... I am reconstructing a web site for a remote customer and have a login ... failure with an FP2000 database results page. ... FP via the Web Settings option--there is no other connection string. ... to SQL Server, which is configured for Mixed Authentication. ...
    (microsoft.public.frontpage.programming)
  • Re: User not associated with trusted SQL Server connection
    ... Actually when I execute the sp_grantdbaccess command for ... I performed a sp_mshasaccess which displays the same login ... >> associated with a trusted SQL Server connection. ... >> database or is it just for that instance. ...
    (microsoft.public.sqlserver.security)
  • RE: ADO.NET help - Filling a DataGrid with contents of a DataSet
    ... In web application, when you use integrated security connection, you are ... ASP.NET C# using Visual Studio 2003 with a database built in MSDE. ... database requested in login 'SCMS'. ...
    (microsoft.public.dotnet.framework.adonet)
  • RE: dynamic connection string?
    ... I've implemented my solution for this scenario by puting my connection ... string in database and prior to login to my portal, ... to get authenticated and retrieve the connection string. ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: Application Role
    ... the same windows group or have a login to SQLS. ... have total programmatic control over an ADO connection object (i.e., ... connection pooling keeps getting in the way. ... you're probaly better off with standard database roles. ...
    (microsoft.public.sqlserver.security)