SqlConnection Security Question

[bri189a]

Still new on the ASP.NET as you know... I'm working with a database that generally is read-only to 99% of the visitors, then there is the 1% of people who can change the records. What I've been doing is having a secret page where they can enter the username and password to the SqlLogin that has db_datareader/db_datawriter permissions and trying to open and close the connection. If it doesn't open I tell them they entered a wrong user name or password, if it is does, I transfer them back to the home page with session variables set with the username and password. All the other pages look at these session variables and if they are set the application uses that to connect to the database, if not is uses the default (db_datareader only) that is hard-coded into the code page. How unsecure is this? I think you see what I'm trying to do, what is the correct method?

 

[Andrew Thompson]

Hi,

What I tend to do for the 1% of users who need to edit content on the site, is create a seperate application for them to do it in. This might seem like a lot of pointless work, but its just the way I chose to do things.

They are issued with a username and password, and every single action they perform within the site is logged along with a date / time. This way they cant come back to me and say someone's deleted all our news articles, because I can check the log and see they did it themselves etc.

They have no different access to the DB than other users, the difference is they can access pages on a site which will call UPDATE and INSERT commands to modify the contents of the database.

You have to remember that a secret page isnt very secret once google has indexed it!

Hope this helps.

Thanks

Andrew

 

[bri189a]

How do you keep anyone else from accessing that page? I see what your doing... I guess my question is what prevents the common user from accessing those pages?

 

[Robby]

Look into Forms based Authentication. http://samples.gotdotnet.com/QuickStart/aspplus/default.aspx?url=/quickstart/aspplus/doc/formsauth.aspx

or

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Forms+based+Authentication+asp.net

 

[bri189a]

Okay I looked into that, that is all great and well if you want the whole app to have security, but what if you just want certain pages? Does the config file allow you to set to only check that certain pages require authentication? Most of the pages need to allow anynomous access while only a select couple need to make sure the user is authenticated...

 

[Robby]

Here's a trimmed version of a web.config file that will send anonamys users to the login page only if they attempt to access pages in the Admin directory, in other words create a folder named let's say Admin and place the secured pages there.

<configuration><system.web>

<authentication mode="Forms"><forms name="myTest" loginUrl="Admin\Login.aspx"/></authentication>

<authorization><allow users="*"/></authorization>

</system.web>

<location path="Admin"><system.web><authorization><deny users="?"/></authorization></system.web></location>

</configuration>

 

[bri189a]

What I ended up doing was creating a list of roles in the web config file and then if a person goes to the log on page I compare the sent user name and password, if it matches I then use the username (which is unique of coarse) to pull down the roles for that user from the database and then with that information I create a new Principal object with that information. Then on each page where there is admin stuff that can be accessed I use the User.IsMemberOf(string name) function to see if they are a member of that role.