Windows Forms Login.

Posted on 2009-07-03
Last Modified: 2013-12-17
I am building a C# windows application with only one form. The form requires to connect to mssql server 2008 and another application server to work. Now I want to implement a login before the form is loaded. The login would authenticate against the sql server and the application server and if both logins are successful run the application with connection parameters passed from the login form. If the login fails for let say three times exit the application. Also when the application is close the connection parameters obtained from the login should be reset. Please provide the solutions if you know not links to different technologies. We are short on time to implement this.

Question by:Atouray
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Assisted Solution

8080_Diver earned 100 total points
ID: 24772600
One solution I have used in the past is to have a "login access" to the SQL Server that is used and then use that to confirm the user's rights to connect the SQL Server and the Apps server in order to run the application.
In other words, there is a SQL User name and password (which I will refer to as the GateKeeper) ) that can only access a stored procedure that is used to confirm the user name and password entered by the user.  All GateKeeper does is call the SP, passing the user name and password provided by the user and then, if those validate against a table in the daabase, GateKeeper receives the Username and Password necessary for the user to actually be able to do anything.  
Since GateKeeper can only access the one SP and nothing more, this limits the expore to the database.   Since GateKeeper passes the user-entered name and password and receives the appropriate access name and password (if the user name and password validate), the fact that the user knows a name and password has no brearing on direct access to the database and app server.  this also puts the maintenance of actual SQL Server user names and passwords and app server user names and passwords in the hands of the admin(s) and provides a quick and easy way to invalidate a user's login (by a simple deletion from or update to a single table).
By having your application obtain the App server and SQL Server logins in this manner, all use of them is internal to the app.  You can even encrypt them in the database so that what is returned has to be decrypted within your app for them to be used.

Author Comment

ID: 24773046
Actually I've been waiting for so long for an answer. I've implemented a solution but would like to have comments from experts. I've changed my design in such a way that when the end user runs the application
the application controls are disable and hidden and only the login interface is visible. When the user provides usernames and passwords for both sql server and application server I attempt to login to both sql and app server. If login is successful to both servers application with necessary controls are launched. Otherwise the specific exceptions are thrown to the user. With these only end users can only access the controls after being able to successfully connect to both sql server and application server. Please if you have any comments or suggestions let me know.
LVL 22

Assisted Solution

8080_Diver earned 100 total points
ID: 24774521
Actually I've been waiting for so long for an answer
07/03/09 04:39 AM to 07/03/09 09:32 AM?!?!?!?!  
Patience is a virtue that is required for applications development! ;-)
Okay, I am assuming that your approach is working, so that means, pragmatically speaking, you do have a solution.  So I'll respond to your request for comments.
Some comments on what you have done:
  • By having the controls disabled until a correct username/password combination has been provided, you are definitely controlling the user's access to those controls . . . this is a Good Thing;
  • Do you have a user password policy the is being implemented?
  • You have to be using SQL Server log-ins for the database but that means that your apps server logins, which are probably Windows logins are the same as the database logins . . . this is not really the most secure approach to things and it also complicates redifining the access that a user may have to the database (either to make the access more or less restricted).
  • When a User successfully logs on, do you have levels of users?  I.e. can eeryone do anything that anyone else can do or can some do thins (like maintenance on data) that others cannnot (like, maybe, people who only need to view/run reports)?
The approach you have taken is a little like the approach I was suggesting in that the first thing the user has to do is log on.  However, there are some noticeable differences:
  • The user's attempt to log on is directed directly at the database and the app server,
  • The User's Username and Password are going to have to be maintained both in SQL Servere and on the app server, which complicates the maintenance a little and requires keping permissions, etc., in synch.
The level of security and the maintenance questions are things you will have to decide on, so that part is really up to you.

Accepted Solution

Atouray earned 0 total points
ID: 24776580
Thanks a lot Diver. The sql server login and the application server login are totally different and have different sets of logins. Also the application doesn't have user roles as it's not needed. Right now for maintenance we not worry much. Changing the users on both sql and app server is not an issue.

The only thing I am left with now is to encrypt the communication between sql and client.

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question