Carl--
Thank you very much for the responses.
(I'm glad SOMEBODY knows what they are talking about when it comes to this
stuff.)
I understand your posts.
However, to simplify, how aobut just doing the following.
Ask the web host to create a new user and assign that new user execute
rights to all SPs in the ASPState database.
Then, I just reference that user in my web.config file something like
this...
<sessionState mode="SQLServer" sqlConnectionString="data
source=NameOfDbWithStateInstalled;user
id=StateUser;password=SomePasswordValue" cookieless="true" timeout="20" />
....and then move on from there?
(I'd rather not have to ask the web host to do a lot of specialized
configuration because that may make them hesitate.)
What do you think?
Please advise.
--Mark
Carl Prothman said:
When your ISP runs "InstallSqlState.sql", it will create a new database called ASPState.
That database will contain stored procedures and tables. So to secure it, you would
want to only give Execute permissions to the stored procedures for the User account
specified in the web.config's sessionState's sqlConnectionString. The User account
should not have any direct access to the tables
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfsessionstatesection.asp
Sorry, there are no user tables in the ASPState database. The user tables
are created
in the Temp db.
If your ISP has installed SQL Server 2000 **SP3** and left the
cross-database
ownership chaining off (it's off by default), then you'll get the following
error messages:
SELECT permission denied on object 'ASPStateTempApplications', database
'tempdb', owner 'dbo'.
INSERT permission denied on object 'ASPStateTempApplications', database
'tempdb', owner 'dbo'.
SELECT permission denied on object 'ASPStateTempApplications', database
'tempdb', owner 'dbo'.
In this case, your ISP will need to enable cross-database ownership
chaining.
Here is what the SP3 readme says:
*******
Note Enabling cross-database ownership chaining for all databases is not
recommended.
After installation, you can use the following methods to turn
cross-database
ownership chaining on and off for all databases in the instance:
a.. Use the new Cross DB Ownership Chaining argument of the sp_configure
system stored procedure.
b.. Use the Allow Cross-Database Ownership Chaining option on the
Security
tab of the SQL Server Properties dialog box in Enterprise Manager.
c.. Use the SQLServer.Configuration.ConfigValues Database Management
Objects (DMO) collection. When the SQLServer object references an instance
of SQL Server 2000 SP3 or later, this collection contains a ConfigValue
object named Cross DB Ownership Chaining.
If cross-database ownership chaining is turned off for the instance, you
can
configure it for individual databases. Use the following methods to turn
cross-database ownership chaining on and off for a database:
a.. Use the new db chaining option of the sp_dboption system stored
procedure.
b.. Use the Allow Cross-Database Ownership Chaining option on the Options
tab of the Database Properties dialog box in Enterprise Manager.
c.. Use the DBChaining property of the DBOption2 DMO object.
Note If you previously enabled cross-database ownership chaining on a
pre-release version of SP3 (earlier than build 8.00.[BUILD_NUMBER]), you
must enable it again after installing the release version of SP3.
For more information, click the Help button on the Backwards Compatibility
Checklist page when you run Setup, download the updated edition of SQL
Server 2000 Books Online, or see Knowledge Base article 810474.
*******
--
Thanks,
Carl Prothman
Microsoft ASP.NET MVP
http://www.able-consulting.com