why not SQL Authentication?

Discussion in 'ASP .Net Security' started by Pavlos Kariotellis, Mar 28, 2005.

  1. Pavlos Kariotellis, Mar 28, 2005
    #1
    1. Advertising

  2. Pavlos Kariotellis

    Brock Allen Guest

    The main drawback of SqlAuthentication (authing from browser thru website
    thru database) is that connections can't be pooled. For some websites this
    is not a concern, but for others where you have huge volume (and/or you're
    not doing windows auth against the clients) if you use the client's creds
    for SqlAuth then that's an independant connection. So 1000 users on your
    site, that's 1000 distinct connections. If you use the same credentials (like
    a "SqlUser" account) then those connections get pooled and thus shared. It's
    a performance enhancement.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > With Forms authentication and SQL Server, MS recommends creating a
    > User
    > table and storing user names and password hashes to that table.
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnne
    > tsec/html/SecNetHT03.aspThey go on proposing a Roles table and so on.I
    > wonder why not just use SQL Server authentication and just try to
    > loginwith the user supplied credentials?
    Brock Allen, Mar 28, 2005
    #2
    1. Advertising

  3. Pavlos Kariotellis

    WJ Guest

    Also it may not be safe to transfer SQL PW over the line because SQL doesn
    ot encrypt your PW. You also may have some issues with fire wall. Some donot
    let it thru, especially the NTLM authentication packet unless you are
    sitting inside your FW.

    John
    WJ, Mar 28, 2005
    #3
  4. My application is serving small businesses. Each one has its own DB. Most of
    the time there is one user per DB. This user my be connected all day long.
    To use connection pooling I'l have to log all the users to one DB and the
    switch them to appropriate DB. I think this creates a security risk.

    "Brock Allen" <> wrote in message
    news:...
    > The main drawback of SqlAuthentication (authing from browser thru website
    > thru database) is that connections can't be pooled. For some websites this
    > is not a concern, but for others where you have huge volume (and/or you're
    > not doing windows auth against the clients) if you use the client's creds
    > for SqlAuth then that's an independant connection. So 1000 users on your
    > site, that's 1000 distinct connections. If you use the same credentials
    > (like a "SqlUser" account) then those connections get pooled and thus
    > shared. It's a performance enhancement.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >> With Forms authentication and SQL Server, MS recommends creating a
    >> User
    >> table and storing user names and password hashes to that table.
    >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnne
    >> tsec/html/SecNetHT03.aspThey go on proposing a Roles table and so on.I
    >> wonder why not just use SQL Server authentication and just try to
    >> loginwith the user supplied credentials?

    >
    >
    >
    Pavlos Kariotellis, Mar 29, 2005
    #4
  5. Pavlos Kariotellis

    Brock Allen Guest

    Absolutely. That's why I said "for some websites it's not a problem" and
    in fact for your situation it wouldn't help since you have more than one
    database. Connection pooling with a single user for the database doesn't
    really buy you anything since in general you're only ever using one conenction
    to communicate to the DB.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > My application is serving small businesses. Each one has its own DB.
    > Most of the time there is one user per DB. This user my be connected
    > all day long. To use connection pooling I'l have to log all the users
    > to one DB and the switch them to appropriate DB. I think this creates
    > a security risk.
    >
    > "Brock Allen" <> wrote in message
    > news:...
    >
    >> The main drawback of SqlAuthentication (authing from browser thru
    >> website thru database) is that connections can't be pooled. For some
    >> websites this is not a concern, but for others where you have huge
    >> volume (and/or you're not doing windows auth against the clients) if
    >> you use the client's creds for SqlAuth then that's an independant
    >> connection. So 1000 users on your site, that's 1000 distinct
    >> connections. If you use the same credentials (like a "SqlUser"
    >> account) then those connections get pooled and thus shared. It's a
    >> performance enhancement.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>> With Forms authentication and SQL Server, MS recommends creating a
    >>> User
    >>> table and storing user names and password hashes to that table.
    >>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnn
    >>> e
    >>> tsec/html/SecNetHT03.aspThey go on proposing a Roles table and so
    >>> on.I
    >>> wonder why not just use SQL Server authentication and just try to
    >>> loginwith the user supplied credentials?
    Brock Allen, Mar 29, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UmV6YQ==?=
    Replies:
    3
    Views:
    17,923
    Carlos Barini
    Jun 7, 2004
  2. Brett Smith
    Replies:
    2
    Views:
    449
    Brett Smith
    Oct 26, 2004
  3. Mr. SweatyFinger

    why why why why why

    Mr. SweatyFinger, Nov 28, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    875
    Mark Rae
    Dec 21, 2006
  4. Mr. SweatyFinger
    Replies:
    2
    Views:
    1,804
    Smokey Grindel
    Dec 2, 2006
  5. Skybuck Flying
    Replies:
    16
    Views:
    673
    tragomaskhalos
    Aug 25, 2007
Loading...

Share This Page