2.0 built-in forms security and SID equivilent

[David Thielen]

Hi;

If I use Active Directory for security, I can track the owner of records I
create in the database using the SID of the user. If the user "dave" is
deleted and a new one created, the new "dave" does not get access to the
records of the original "dave".

However using the 2.0 built in forms security there does not seem to be any
kind of GUID created with each user. So the user "dave" could be deleted and
then recreated and the new "dave" would have access to the old "dave" records.

Am I missing something? This is sort of basic to security so I assume this
must be covered somehow.

 

[Luke Zhang [MSFT]]

Hello,

In ASP.NET security, the permission is based on the role. If original
"Dave" and new "dave" is in same role, they will have same permission. So,
you may give new "Dave" new password, and new role if necessary. By the
way, if you use SQL server member provider, there will be a UserID and
ApplicationID in database, and they are not duplicated for new and original
users.


Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hi;

I am using the SID for ownership so I know who created records. You are
right about permissions.

I am using the default Sql Express for membership. Does it have UserID and
if so, how do I get it?

 

[Luke Zhang [MSFT]]

In the database 'aspnetdb', there is a table 'aspnet_Users' which has a
column named "UserID".

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Dominick Baier [DevelopMentor]]

which is not a SID - just a GUID to keep the records unique...

 

[David Thielen]

Same thing in terms of what I need. I've always thought of the SID as a GUID
although it is that and a bit more int erms of how it's created.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[David Thielen]

That sounds perfect - how do I get that data?

 

[Luke Zhang [MSFT]]

The only way is to connect the database with ADO.NEt directly and query the
value.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Dominick Baier [DevelopMentor]]

haven't tried it - but isn't the GUID exposed as MembershipUser.ProviderUserKey
??

 

[Dominick Baier [DevelopMentor]]

the default connection string is called LocalSqlServer - if you have not
changed that, use

ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;

 

[Dominick Baier [DevelopMentor]]

also - MS only guarantees to keep the Views and Sprocs stable in aspnetdb
stable - but not the underlying table schema...

 

[David Thielen]

Hi;

How do I get the connection string to the user database? It's not in the
Web.Config. ALso, are you sure this has to go direct - it seems strange they
have this value but don't make it available. Why have it then?