Form Authentication using SQL Server Users

[armenrz]

Hi All,

 

I am developing a web project that use Forms Authentication and SQL Server.

Instead of storing users and passwords in a table, I am going to use SQL Server Users account. The connection string will be created on the fly by concatenating with user name and password supplied from Login page.

 

strConn = "provider=SQLOLEDB;server="DINO";database="MyShop";uid=" & m_UserName & ";pwd=" & m_Password & ";"

m_Cnn = New OleDbConnection(strConn)

m_Cnn.Open()

 

If opening connection is successful then user is authenticated.

 

Now is it secure enough to do this way ?

 

Thanks.

 

Armen

[bungpeng]

In this case the permission is very important, because the user can use SQL Enterprise Manager to connect to database and do whatever base on his user permission. I don't think it is secure.

[PlausiblyDamp]

This method will also prevent ASP.Net from being able to pool SQL connections and as such could cause performance issues

[Arch4ngel]

General advice ? don't do that :p

[akiaz]

General advice ? don't do that :p

 

Strongly agree. Besides, when you store user profiles in a table in your database, you can then do other things like logging user logins/logouts, and also link your users table to a permissions table for enhanced security.

 

Where I work, we take advantage of SQL server for handling user login and have a stored procedure even generate our security token for our web applications. This token, actually a GUID generated using the NEWID T-SQL function, is stored in the user profile table and is passed around in the URL in our web applications.

 

Just my 2 cents, but I hope that helps.