Windows Forms Login.

Posted on 2009-07-03
Medium Priority
Last Modified: 2013-12-17
I am building a C# windows application with only one form. The form requires to connect to mssql server 2008 and another application server to work. Now I want to implement a login before the form is loaded. The login would authenticate against the sql server and the application server and if both logins are successful run the application with connection parameters passed from the login form. If the login fails for let say three times exit the application. Also when the application is close the connection parameters obtained from the login should be reset. Please provide the solutions if you know not links to different technologies. We are short on time to implement this.

Question by:Atouray
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Assisted Solution

8080_Diver earned 400 total points
ID: 24772600
One solution I have used in the past is to have a "login access" to the SQL Server that is used and then use that to confirm the user's rights to connect the SQL Server and the Apps server in order to run the application.
In other words, there is a SQL User name and password (which I will refer to as the GateKeeper) ) that can only access a stored procedure that is used to confirm the user name and password entered by the user.  All GateKeeper does is call the SP, passing the user name and password provided by the user and then, if those validate against a table in the daabase, GateKeeper receives the Username and Password necessary for the user to actually be able to do anything.  
Since GateKeeper can only access the one SP and nothing more, this limits the expore to the database.   Since GateKeeper passes the user-entered name and password and receives the appropriate access name and password (if the user name and password validate), the fact that the user knows a name and password has no brearing on direct access to the database and app server.  this also puts the maintenance of actual SQL Server user names and passwords and app server user names and passwords in the hands of the admin(s) and provides a quick and easy way to invalidate a user's login (by a simple deletion from or update to a single table).
By having your application obtain the App server and SQL Server logins in this manner, all use of them is internal to the app.  You can even encrypt them in the database so that what is returned has to be decrypted within your app for them to be used.

Author Comment

ID: 24773046
Actually I've been waiting for so long for an answer. I've implemented a solution but would like to have comments from experts. I've changed my design in such a way that when the end user runs the application
the application controls are disable and hidden and only the login interface is visible. When the user provides usernames and passwords for both sql server and application server I attempt to login to both sql and app server. If login is successful to both servers application with necessary controls are launched. Otherwise the specific exceptions are thrown to the user. With these only end users can only access the controls after being able to successfully connect to both sql server and application server. Please if you have any comments or suggestions let me know.
LVL 22

Assisted Solution

8080_Diver earned 400 total points
ID: 24774521
Actually I've been waiting for so long for an answer
07/03/09 04:39 AM to 07/03/09 09:32 AM?!?!?!?!  
Patience is a virtue that is required for applications development! ;-)
Okay, I am assuming that your approach is working, so that means, pragmatically speaking, you do have a solution.  So I'll respond to your request for comments.
Some comments on what you have done:
  • By having the controls disabled until a correct username/password combination has been provided, you are definitely controlling the user's access to those controls . . . this is a Good Thing;
  • Do you have a user password policy the is being implemented?
  • You have to be using SQL Server log-ins for the database but that means that your apps server logins, which are probably Windows logins are the same as the database logins . . . this is not really the most secure approach to things and it also complicates redifining the access that a user may have to the database (either to make the access more or less restricted).
  • When a User successfully logs on, do you have levels of users?  I.e. can eeryone do anything that anyone else can do or can some do thins (like maintenance on data) that others cannnot (like, maybe, people who only need to view/run reports)?
The approach you have taken is a little like the approach I was suggesting in that the first thing the user has to do is log on.  However, there are some noticeable differences:
  • The user's attempt to log on is directed directly at the database and the app server,
  • The User's Username and Password are going to have to be maintained both in SQL Servere and on the app server, which complicates the maintenance a little and requires keping permissions, etc., in synch.
The level of security and the maintenance questions are things you will have to decide on, so that part is really up to you.

Accepted Solution

Atouray earned 0 total points
ID: 24776580
Thanks a lot Diver. The sql server login and the application server login are totally different and have different sets of logins. Also the application doesn't have user roles as it's not needed. Right now for maintenance we not worry much. Changing the users on both sql and app server is not an issue.

The only thing I am left with now is to encrypt the communication between sql and client.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question