Re: Persisting user login credentials across pages

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 02/27/05 

Date: Sun, 27 Feb 2005 17:15:24 -0500

In ASP.Net 1.1 most people add the connection string to the web.config file.
This file can be changed at any time so it is not really "hardcoded" as you
do not need to re-compile.

A minor concern is that an Admin can read the web.config and learn your
string. (Pretty tough for anyone else to do it.)

In version 2.0 of ASP.Net there are encrypted sctions so that no one can
read the value.

You can implement your own security in 1.1. if you need to. 

-- 
Joe Fallon
"Siobhan" <Siobhan@discussions.microsoft.com> wrote in message 
news:B07B1720-3B5B-4E49-AC5A-23B11EFAAF71@microsoft.com...
> If I wanted to use a single user name and password to connect where would 
> I
> put this so that it would be secure - I wouldn't want it hard-coded as 
> this
> would require a rebuild if it needed changed?
> Thanks
> Siobhan
>
> "Joe Fallon" wrote:
>
>> Siobhan,
>> In a large system the DB tends to be the bottleneck so you want to access 
>> it
>> only when truly needed.
>> You can always add more web servers to handle the load. Scaling the DB is
>> quite a bit trickier.
>>
>> So you need to use Forms Authentication to authenticate a given UID and 
>> PWD
>> combination. These values can be in your DB and you need to look them up 
>> and
>> verify that the typped in values match the ones in the DB. (Note that the
>> connection string for your DB has nothing to do with this. You use those
>> credentials to make the connection and take advantage of the connection
>> pool. You do NOT vary the conenct string with each user as this is a true
>> scalabilit killer.)
>>
>> Sample code requires you to have a login method on your Principal class
>> (which calls your Identity class).
>>
>>       mUser.Login(txtUserId.Text, txtPassword.Text)
>>       mUser = CType(Thread.CurrentPrincipal, myUser)
>>
>>       If mUser.Identity.IsAuthenticated = True Then
>>         HttpContext.Current.User = mUser
>>         Session("myPrincipal") = mUser
>> 
>> Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUserId.Text,
>> False)
>>       Else
>>            'do something else
>>       End If
>>
>>
>> I use code like this in my Global.asax file to re-use the principal value 
>> on
>> each hit:
>>
>>  Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e 
>> As
>> System.EventArgs) Handles MyBase.AcquireRequestState
>>
>>     If Not Session("myPrincipal") Is Nothing Then
>>       Thread.CurrentPrincipal = DirectCast(Session("myPrincipal"), 
>> myUser)
>>       HttpContext.Current.User =DirectCast(Session("myPrincipal"), 
>> myUser)
>>     Else
>>       If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
>>         Web.Security.FormsAuthentication.SignOut()
>>         Server.Transfer(Request.ApplicationPath + "/Login.aspx")
>>       End If
>>     End If
>>
>>   End Sub
>>
>> Rocky Lhotka explains these concepts very well in his book on Business
>> Objects.
>> http://www.lhotka.net/ArticleIndex.aspx?area=CSLA%20.NET
>> -- 
>> Joe Fallon
>>
>>
>>
>>
>> "Siobhan" <Siobhan@discussions.microsoft.com> wrote in message
>> news:80905982-FCCE-4917-878A-7F0BFFC88135@microsoft.com...
>> > Hi
>> > Yes this is what we have done before but we are passing the data using 
>> > a
>> > session variable and I had just been worried about the implications of
>> > this.
>> > I am not sure how Forms authentication would work - the sample using
>> > passwords on the site you recommended had passwords stored in the 
>> > config
>> > file
>> > - we are using SQL Server authentication to authenticate users.  Or 
>> > maybe
>> > I
>> > am getting confused as to what you meant.  I think I understand the
>> > concept
>> > of setting the authorisation cookie etc, but I didn't know if this 
>> > could
>> > be
>> > used to store the password that they entered on the login page, or if 
>> > it
>> > could, would it be safe?
>> > Thanks
>> > Siobhan
>> >
>> > "Wilco Bauwer" wrote:
>> >
>> >> Sorry, I meant Sparky Arbuckle.
>> >>
>> >> Siohban: you can place those textboxes in a usercontrol, such as
>> >> Login.ascx. You can place this login control on a login page. If you
>> >> lookup how forms authentication works, it should be fairly
>> >> straightforward to figure out how to get information based on a user's
>> >> ID. Such a user ID can be persisted across pages (using sessions).
>> >>
>> >>
>>
>>
>>

Relevant Pages

  • Re: Can no longer connect as sa
    ... > Is there a reason you need to connect using SQL authentication? ... >> Login failed for user 'sa'. ... >> I can't figure out what is slightly different in the connection string. ...
    (microsoft.public.sqlserver.setup)
  • Re: Persisting user login credentials across pages
    ... Differing UID/PWD settings for the connection string kill the benefits ... "Siobhan" wrote in message ... > must have a unique SQL Server login to allow for auditing of certain ... >>> I am not sure how Forms authentication would work - the sample using ...
    (microsoft.public.dotnet.framework.aspnet)
  • Windows Authentication connectionstring Login failed for user Gue
    ... authentication to access SQL Server using the sa login. ... sa login, I want to convert the app to use Windows Authentication. ... Then I changed the connection string to: ...
    (microsoft.public.data.ado)
  • Re: Can no longer connect as sa
    ... Is there a reason you need to connect using SQL authentication? ... > Login failed for user 'sa'. ... > I can't figure out what is slightly different in the connection string. ...
    (microsoft.public.sqlserver.setup)
  • Re: Connecting to AS 2005 using a specified user
    ... specifying MSOLAP.2 in the connection string has no effect ... when connecting from Excel. ... AS2005 is the same userID specified in the HTTP connection string, ... > Basic authentication credentials. ...
    (microsoft.public.sqlserver.olap)