Form Authentication using SQL Server Users

[armenrz]

Hi All,

I am developing a web project that use Forms Authentication and SQL Server.
Instead of storing users and passwords in a table, I am going to use SQL Server Users account. The connection string will be created on the fly by concatenating with user name and password supplied from Login page.

strConn = "provider=SQLOLEDB;server="DINO";database="MyShop";uid=" & m_UserName & ";pwd=" & m_Password & ";"
m_Cnn = New OleDbConnection(strConn)
m_Cnn.Open()

If opening connection is successful then user is authenticated.

Now is it secure enough to do this way ?

Thanks.

Armen

 

[bungpeng]

In this case the permission is very important, because the user can use SQL Enterprise Manager to connect to database and do whatever base on his user permission. I don't think it is secure.

 

[PlausiblyDamp]

This method will also prevent ASP.Net from being able to pool SQL connections and as such could cause performance issues

 

[Arch4ngel]

General advice ? don't do that

 

[akiaz]

General advice ? don't do that

Strongly agree. Besides, when you store user profiles in a table in your database, you can then do other things like logging user logins/logouts, and also link your users table to a permissions table for enhanced security.

Where I work, we take advantage of SQL server for handling user login and have a stored procedure even generate our security token for our web applications. This token, actually a GUID generated using the NEWID T-SQL function, is stored in the user profile table and is passed around in the URL in our web applications.

Just my 2 cents, but I hope that helps.