... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

comp.databases.ms-sqlserver

Notorious Rube Goldberg contraption

19,505 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 18,601 of 19,505

Erland Sommarskog to enkaradag@gmail.com

Re: any advice for a login system?

21 Apr 12 00:29:50

   2c741dc3   
   From: esquel@sommarskog.se   
      
   Ender Karada? (enkaradag@gmail.com) writes:   
   > our application is a two tier application between fat clients and a   
   > completely dummy database server (wat i mean is; all calculations and   
   > requirements are done on client machine, server just saves the given   
   > data and queries it) but i want to redesign all the application and   
   > database with the best approach (with a "+1" tier maybe).   
      
   I guess the reason for this complicated arrangement is that you don't   
   want users to access the database directly from outside the application.   
      
   This is not really achievable with a two tier-application. Anything   
   the application can do, the user can do outside the application.   
   You can employ various tricks, but it's only security by obscurity.   
   It may be enough to keep the users who are too smart for their own   
   good out, but not enough to keep the dedicated malicious user out.   
      
   The best you can do, save re-architecturing the application, is to   
   put it on a terminal server, and set up the terminal server so that   
   when user log in they directly come to the application, and so that   
   they cannot leave the application. Then you can do one of two things:   
      
   1) Application uses a proxy login, and users have no logins of their   
      own.   
   2) Application logs in each user with their own login, but the network   
      is setup so that users cannot reach SQL Server from their own   
      machines.   
      
   > for the login structure, would it be possible to change the sqlserver   
   > user, without dropping the session?   
      
   There are application roles that were introduced to address this   
   situation, but again, on a two-tier application, they are not safe,   
   because the user can always retrieve the password on his own.   
      
   As for you endeavour to move the business logic from the application   
   to the database, this is definitely a correct step to take, but it   
   will certainly take some time to realise.   
      
   --   
   Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se   
      
   Links for SQL Server Books Online:   
   SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx   
   SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]