tags:

views:

817

answers:

6
+1  Q: 

SQL Server and asp.net application security models / best practice

For my asp.net web applications against sql server(at least the ones that require a logon to access) I generally implement security as follows:

I generally roll my own user signup, user login pages and keep a userid and an encrypted password in an sql server and validate the login against that table - I also provide for forgotten passwords, 'send me my password', email verification to activate accounts etc all thru custom code.

Once the user has been validated by the app (and lets assume that all users have the same privileges), I generally use a utility logonid to let asp.net talk to sql server, so in other words I only need to create a single logon id per application, and since 100% of all data access is done thru stored procedures, I need only grant access to a single user to execute stored procedures, and no other work is required on sql server. Each application has its own database, and the logon for that app can only access that database.

All this works perfectly well for me, the only negative of this is that it would be nice to be able to setup a trace in sql server and see the userid and the procs that are being called, but since all users are 'talking' to the database thru a single database logon, this can't happen.

So, two part question:

1) Are there security models are you folks using that I should consider? Its easy to always do the same thing over and over, - especially since it works - but are there other models that would work better or that I should consider? Is it recommended practice that all database access from an asp.net app would all share a single database login? or is this considered bad practice? and if so, why?

2) Assuming I stick with my model, is there a way to allow for the application login id to be seen in the sql trace window? It would be nice to see the sp's being called and the user id of the person logged into the system (not the database login).

A: 

1)As long as you are using stored procedures for access one login may be fine. Some peolple like to use one for admin as well.

2)You could modify your stored procedures to accept a user id as a parameter.

Sam  2009-01-14 16:05:23
>>ou could modify your stored procedures to accept a user id as a parameter. I've considered that for future projects, but not for the codebase that already exists.
EJB  2009-01-14 16:07:10
+1  A: 

1) It is recommended that your web application use a single login to the database typically. If you don't you are going to be forced to impersonate your caller, which is typcially not recommended, and it doesn't scale very well. You should not use a different connection string for each user. For example using SQL Authentication for each user is a bad idea. It will make connection polling ineffective.

2) You could do this by modifying the connection string but that would make connection pollign ineffective.

JoshBerke  2009-01-14 16:06:28
+3  A: 

Is it recommended practice that all database access from an asp.net app would all share a single database login?

Yes, primarily for connection pooling.

In regards to 2), I normally do that by logging at the ASP.NET side.

Otávio Décio  2009-01-14 16:08:52
+1  A: 

From a .NET best practices point of view, you may want to consider taking a look at Microsoft Enterprise Library. It contains a set of practices, patterns, and features that assist with issues such as Security and Data Access.

 2009-01-14 16:15:03
A: 

I would generally share a single user for connection pooling.

In the case where you may need to trace a particular user. I write in admin functionality where you can make the application use a second database login. You can then enable this for a specific user and trace that user individually.

It just means you get the ability to trace as a one off, yet keeping the single user connection pooling for the rest of the application.

Robin Day  2009-01-19 12:27:47
A: 

I've been using the same approach as well. More recently, I wonder if this is affecting the application's scaleability. My DB servers have multi-core processors and are quite capable of parallel operations, but I think SQL Server serialized queries running with the same userID. I think this means that stored procedures from different actual users are beeing queued up because SQL Server sees them all as coming from the same the same userID.

If this is the case, I'd think it would be severely limiting the scaleability of my app, no?

R.MacLean  2010-02-24 15:38:04

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?