Jump to content
Xtreme .Net Talk

Recommended Posts

Posted

You have missed the point,

 

The person that is logged onto the computer may not be the person trying to access your app. Such a security hole may not be a problem for your app, but there may also be a valid case for someone wanting to avoid logging off/on to acccess your sstem and then back to the original user when they could have done it with a login to your app.

 

Again this may not be an issue for you..

Hamlet
Posted
You have missed the point,

 

The person that is logged onto the computer may not be the person trying to access your app. Such a security hole may not be a problem for your app, but there may also be a valid case for someone wanting to avoid logging off/on to acccess your sstem and then back to the original user when they could have done it with a login to your app.

 

Again this may not be an issue for you..

 

What donnacha is trying to say (I believe) is that what if the person logged onto the computer and the person currently using it is different. Wouldn't they have two different data values in the database? For example if Molly was in accounting and Jan was in research, Jan couldn't access her research data from Molly's computer because Molly is logged in. So Jan would have to log Molly out and log back in as herself. Restart you're program and would waste much time in the process.

 

If I am correct in my assumption it would make more practical sense to have space for a username instead of obtaining the person who is currently logged on (besides the huge security hole there).

-Sean
  • Administrators
Posted

The problem with that scenario is that users now have to remember 2 user name / password combinations (one for the domain, one for the application) and keep them in sync when one or other forces a change. Also if Molly is using the system she would still have to at least close the application and re-run it to logon as herself anyway...

 

This also imposes another security weaknes as now there is a second copy of username / password pairs to be maintained, stored, backed up etc. If this second copy is stored using a weaker form of hashing or encryption or stored in a less secure area (including backups) than the domain then this becomes a simpler target for would be hackers.

 

If a person is using the PC they should be logged in as themselves so auditing etc can easily be done, if this can be integrated within your application all the better. When finished logout and others can use the PC.

Posting Guidelines FAQ Post Formatting

 

Intellectuals solve problems; geniuses prevent them.

-- Albert Einstein

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...