Windows Forms Login.

Posted on 2009-07-03
Last Modified: 2013-12-17
I am building a C# windows application with only one form. The form requires to connect to mssql server 2008 and another application server to work. Now I want to implement a login before the form is loaded. The login would authenticate against the sql server and the application server and if both logins are successful run the application with connection parameters passed from the login form. If the login fails for let say three times exit the application. Also when the application is close the connection parameters obtained from the login should be reset. Please provide the solutions if you know not links to different technologies. We are short on time to implement this.

Question by:Atouray
  • 2
  • 2
LVL 22

Assisted Solution

8080_Diver earned 100 total points
ID: 24772600
One solution I have used in the past is to have a "login access" to the SQL Server that is used and then use that to confirm the user's rights to connect the SQL Server and the Apps server in order to run the application.
In other words, there is a SQL User name and password (which I will refer to as the GateKeeper) ) that can only access a stored procedure that is used to confirm the user name and password entered by the user.  All GateKeeper does is call the SP, passing the user name and password provided by the user and then, if those validate against a table in the daabase, GateKeeper receives the Username and Password necessary for the user to actually be able to do anything.  
Since GateKeeper can only access the one SP and nothing more, this limits the expore to the database.   Since GateKeeper passes the user-entered name and password and receives the appropriate access name and password (if the user name and password validate), the fact that the user knows a name and password has no brearing on direct access to the database and app server.  this also puts the maintenance of actual SQL Server user names and passwords and app server user names and passwords in the hands of the admin(s) and provides a quick and easy way to invalidate a user's login (by a simple deletion from or update to a single table).
By having your application obtain the App server and SQL Server logins in this manner, all use of them is internal to the app.  You can even encrypt them in the database so that what is returned has to be decrypted within your app for them to be used.

Author Comment

ID: 24773046
Actually I've been waiting for so long for an answer. I've implemented a solution but would like to have comments from experts. I've changed my design in such a way that when the end user runs the application
the application controls are disable and hidden and only the login interface is visible. When the user provides usernames and passwords for both sql server and application server I attempt to login to both sql and app server. If login is successful to both servers application with necessary controls are launched. Otherwise the specific exceptions are thrown to the user. With these only end users can only access the controls after being able to successfully connect to both sql server and application server. Please if you have any comments or suggestions let me know.
LVL 22

Assisted Solution

8080_Diver earned 100 total points
ID: 24774521
Actually I've been waiting for so long for an answer
07/03/09 04:39 AM to 07/03/09 09:32 AM?!?!?!?!  
Patience is a virtue that is required for applications development! ;-)
Okay, I am assuming that your approach is working, so that means, pragmatically speaking, you do have a solution.  So I'll respond to your request for comments.
Some comments on what you have done:
  • By having the controls disabled until a correct username/password combination has been provided, you are definitely controlling the user's access to those controls . . . this is a Good Thing;
  • Do you have a user password policy the is being implemented?
  • You have to be using SQL Server log-ins for the database but that means that your apps server logins, which are probably Windows logins are the same as the database logins . . . this is not really the most secure approach to things and it also complicates redifining the access that a user may have to the database (either to make the access more or less restricted).
  • When a User successfully logs on, do you have levels of users?  I.e. can eeryone do anything that anyone else can do or can some do thins (like maintenance on data) that others cannnot (like, maybe, people who only need to view/run reports)?
The approach you have taken is a little like the approach I was suggesting in that the first thing the user has to do is log on.  However, there are some noticeable differences:
  • The user's attempt to log on is directed directly at the database and the app server,
  • The User's Username and Password are going to have to be maintained both in SQL Servere and on the app server, which complicates the maintenance a little and requires keping permissions, etc., in synch.
The level of security and the maintenance questions are things you will have to decide on, so that part is really up to you.

Accepted Solution

Atouray earned 0 total points
ID: 24776580
Thanks a lot Diver. The sql server login and the application server login are totally different and have different sets of logins. Also the application doesn't have user roles as it's not needed. Right now for maintenance we not worry much. Changing the users on both sql and app server is not an issue.

The only thing I am left with now is to encrypt the communication between sql and client.

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now