T
Terry Holland
I have an intranet application that comprises an ASP.Net application
connecting to a SQL Server DB
The application has 150 users. At the moment I am connecting using the
following setup
I have created a MyApp_WebUser user in SQL Server. My connection string,
which is stored in my web.config file, is
<add key="DB:CSA" value="data source=MyServer;initial
catalog=CSA;uid=MyApp_WebUser;pwd=12345678" />
and by business objects use this string to make all its connections to the
database. This way, all my connections strings are identical and I can make
use of connection pooling.
However, this is causing some problems in the business domain. My DB
contains a User table in which I have a record of all users, their
application login and their application password. When users log in via a
login page, their username and password are checked against the User table
and they get access to various pages according to their role (I also have a
Role table). There are a number of issues that I need to address here and
would appreciate advice
1) It is a business requirement that all passwords need to change every 30
days and they need to conform to a particular pattern. I figure I could
either, write my own code to enforce this in the application or allow users
to log in using their active directory passwords.
If I use their windows login I would have the advantage of letting Windows
deal with the changing of passwords etc, but would I be right in thinking
that connection string should be changed to
<add key="DB:CSA" value="data source=MyServer;initial
catalog=CSA;integrated security = SSPI" />.
If this is the case, then my connection string will be different for each
user and I will not be able to take advantage of connection pooling
2) If I stick with my User table and write my own code for enforcing the
password requirements, how could I store their passwords in the db in an
encrypted format?
Advice appreciated
Terry Holland
connecting to a SQL Server DB
The application has 150 users. At the moment I am connecting using the
following setup
I have created a MyApp_WebUser user in SQL Server. My connection string,
which is stored in my web.config file, is
<add key="DB:CSA" value="data source=MyServer;initial
catalog=CSA;uid=MyApp_WebUser;pwd=12345678" />
and by business objects use this string to make all its connections to the
database. This way, all my connections strings are identical and I can make
use of connection pooling.
However, this is causing some problems in the business domain. My DB
contains a User table in which I have a record of all users, their
application login and their application password. When users log in via a
login page, their username and password are checked against the User table
and they get access to various pages according to their role (I also have a
Role table). There are a number of issues that I need to address here and
would appreciate advice
1) It is a business requirement that all passwords need to change every 30
days and they need to conform to a particular pattern. I figure I could
either, write my own code to enforce this in the application or allow users
to log in using their active directory passwords.
If I use their windows login I would have the advantage of letting Windows
deal with the changing of passwords etc, but would I be right in thinking
that connection string should be changed to
<add key="DB:CSA" value="data source=MyServer;initial
catalog=CSA;integrated security = SSPI" />.
If this is the case, then my connection string will be different for each
user and I will not be able to take advantage of connection pooling
2) If I stick with my User table and write my own code for enforcing the
password requirements, how could I store their passwords in the db in an
encrypted format?
Advice appreciated
Terry Holland