tags:

views:

200

answers:

5
Q: 

How to create a database driven login system

I want to create a website that the login system shouldn't be handled by cookies, but on (a) table(s) in the local (on the server) SQL DB.

Is there a way to do it? Even no partial way?

What and where should I save instead of the cookie???

+1  A: 

Cookieless ASP.NET

If you need help actually implementing the login system you'll need to include more details about your specific problem.

Paul Alexander  2009-06-24 16:13:54
+1 - completely ignored this method
John Rasch  2009-06-24 16:15:43
I updated the question
Shimmy  2009-06-24 20:22:26
A: 

Use the SqlMembershipProvider.

Joel Coehoorn  2009-06-24 16:14:35
How does that obviate the need for Cookies, Joel ?
Cerebrus  2009-06-24 16:22:25
It answers the other half of the question - how to implement a login system driven by a SQL database...
GalacticCowboy  2009-06-24 20:31:28
In other words, don't reinvent the wheel.
GalacticCowboy  2009-06-24 20:32:03
+2  A: 

You still need some way of telling the users apart. If you don't use cookies, then you will have to transfer that information in url or allow only one user from a single ip address (this is really stupid) ... or something else. Cookies are not that bad :-).

cube  2009-06-24 16:16:14
+1  A: 

You can store your usernames and so in a database, but you will still need a way to recognize the user as he/she navigates from page to page. That is the cookies role in this, to persist this login token...

It is possible to implement some other ways of handling this token. One can use the URL or somme hidden fields (as ASP.NET's ViewState) to store this token.

So, yes; it can be done. But it takes some work, since you can't use what ASP.NET already provides you. (ASP.NET has builtin-features to handle this token as a cookie, and also store the credentials in the database.)

Arjan Einbu  2009-06-24 16:20:20
+2  A: 

ASP.NET uses Session cookies by default to track user requests. If you use Cookieless sessions, you will find the Session ID being appended in all requests from the browser. In many scenarios, this could also be unacceptable.

Even if you decide to hit the database and check for a "LoggedIn" flag upon each request, you still need some way to identify the incoming request as belonging to a particular user. This could be in the form of encrypted values in hidden fields, depending on your security scenario. That said, it's not a much better method than the use of cookies, because any data that comes from the client has the potential to have been tampered with.

Personally, I think Cookies are great to track user requests as long as you encrypt them properly.

Cerebrus  2009-06-24 16:20:56

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP