OT: FAO Web Designers - Help Required
Discussion
We are thinking about developing our first commercial web service and we have half designed a system where a user logs into a web site and is then given information from a database. There is some confusion about how we log web users into the web site and I would appreciate advise.
Basically, we have our ASP pages which use a COM object running under a specified user account to connect to the database. The user never logs into the database directly. The current plan is to store the users names and passwords in the database and the trap some kind of user GUID to stop people attempting to impersonate other people. I think we are making it too complicated.
Someone suggested running M$ Site Server but that comes in at a whopping 7 grand per processor and we won't use half the functionality.
Any ideas?
Regards,
Ian A.
Basically, we have our ASP pages which use a COM object running under a specified user account to connect to the database. The user never logs into the database directly. The current plan is to store the users names and passwords in the database and the trap some kind of user GUID to stop people attempting to impersonate other people. I think we are making it too complicated.
Someone suggested running M$ Site Server but that comes in at a whopping 7 grand per processor and we won't use half the functionality.
Any ideas?
Regards,
Ian A.
Thanks Ted.
That was the idea I was trying to convey. I think the concept was to store a GUID in the cookie instead of a username and password for security reasons. Not entirely sure why.
I presume getting the web site to authenticate users against an SQL table containing unencrypted usernames and password is fairly secure? We're using SSL so communications with the site itself should be as hackproof as any other MS hosted site.
Thanks for the help, we weren't sure who to ask but I said I knew a web site that would know the answer!
Ian A.
That was the idea I was trying to convey. I think the concept was to store a GUID in the cookie instead of a username and password for security reasons. Not entirely sure why.
I presume getting the web site to authenticate users against an SQL table containing unencrypted usernames and password is fairly secure? We're using SSL so communications with the site itself should be as hackproof as any other MS hosted site.
Thanks for the help, we weren't sure who to ask but I said I knew a web site that would know the answer!
Ian A.
You don't have to hold the password in the cookie though.. that just gives the advantage of an auto login.. if you just hold the username in the cookie then that field can be autocompleted into the login page, but the user has to type in the password.
Or you could use basic http auth, in which case the end user machine would store the login details anyway..
Cheers
Matt.
Or you could use basic http auth, in which case the end user machine would store the login details anyway..
Cheers
Matt.
Gassing Station | General Gassing [Archive] | Top of Page | What's New | My Stuff