Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Windows Forms Login.

Posted on 2009-07-03
Medium Priority
Last Modified: 2013-12-17
I am building a C# windows application with only one form. The form requires to connect to mssql server 2008 and another application server to work. Now I want to implement a login before the form is loaded. The login would authenticate against the sql server and the application server and if both logins are successful run the application with connection parameters passed from the login form. If the login fails for let say three times exit the application. Also when the application is close the connection parameters obtained from the login should be reset. Please provide the solutions if you know not links to different technologies. We are short on time to implement this.

Question by:Atouray
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Assisted Solution

8080_Diver earned 400 total points
ID: 24772600
One solution I have used in the past is to have a "login access" to the SQL Server that is used and then use that to confirm the user's rights to connect the SQL Server and the Apps server in order to run the application.
In other words, there is a SQL User name and password (which I will refer to as the GateKeeper) ) that can only access a stored procedure that is used to confirm the user name and password entered by the user.  All GateKeeper does is call the SP, passing the user name and password provided by the user and then, if those validate against a table in the daabase, GateKeeper receives the Username and Password necessary for the user to actually be able to do anything.  
Since GateKeeper can only access the one SP and nothing more, this limits the expore to the database.   Since GateKeeper passes the user-entered name and password and receives the appropriate access name and password (if the user name and password validate), the fact that the user knows a name and password has no brearing on direct access to the database and app server.  this also puts the maintenance of actual SQL Server user names and passwords and app server user names and passwords in the hands of the admin(s) and provides a quick and easy way to invalidate a user's login (by a simple deletion from or update to a single table).
By having your application obtain the App server and SQL Server logins in this manner, all use of them is internal to the app.  You can even encrypt them in the database so that what is returned has to be decrypted within your app for them to be used.

Author Comment

ID: 24773046
Actually I've been waiting for so long for an answer. I've implemented a solution but would like to have comments from experts. I've changed my design in such a way that when the end user runs the application
the application controls are disable and hidden and only the login interface is visible. When the user provides usernames and passwords for both sql server and application server I attempt to login to both sql and app server. If login is successful to both servers application with necessary controls are launched. Otherwise the specific exceptions are thrown to the user. With these only end users can only access the controls after being able to successfully connect to both sql server and application server. Please if you have any comments or suggestions let me know.
LVL 22

Assisted Solution

8080_Diver earned 400 total points
ID: 24774521
Actually I've been waiting for so long for an answer
07/03/09 04:39 AM to 07/03/09 09:32 AM?!?!?!?!  
Patience is a virtue that is required for applications development! ;-)
Okay, I am assuming that your approach is working, so that means, pragmatically speaking, you do have a solution.  So I'll respond to your request for comments.
Some comments on what you have done:
  • By having the controls disabled until a correct username/password combination has been provided, you are definitely controlling the user's access to those controls . . . this is a Good Thing;
  • Do you have a user password policy the is being implemented?
  • You have to be using SQL Server log-ins for the database but that means that your apps server logins, which are probably Windows logins are the same as the database logins . . . this is not really the most secure approach to things and it also complicates redifining the access that a user may have to the database (either to make the access more or less restricted).
  • When a User successfully logs on, do you have levels of users?  I.e. can eeryone do anything that anyone else can do or can some do thins (like maintenance on data) that others cannnot (like, maybe, people who only need to view/run reports)?
The approach you have taken is a little like the approach I was suggesting in that the first thing the user has to do is log on.  However, there are some noticeable differences:
  • The user's attempt to log on is directed directly at the database and the app server,
  • The User's Username and Password are going to have to be maintained both in SQL Servere and on the app server, which complicates the maintenance a little and requires keping permissions, etc., in synch.
The level of security and the maintenance questions are things you will have to decide on, so that part is really up to you.

Accepted Solution

Atouray earned 0 total points
ID: 24776580
Thanks a lot Diver. The sql server login and the application server login are totally different and have different sets of logins. Also the application doesn't have user roles as it's not needed. Right now for maintenance we not worry much. Changing the users on both sql and app server is not an issue.

The only thing I am left with now is to encrypt the communication between sql and client.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question