I have a multi-tenanted SQL database with a "domid" column in each table which defines which tenant that row is for. It works pretty well as the software just appends the current users id to each database request. I have been asked to write/implement a WCF service to interface with the database so that they can start writing other applications to leverage off the information contained within the database.
I'm new to WCF services but have managed to throw together a quick service which does username password and domain authentication. My question is this:
Company 1 logs in to the software and their username and password (hashed... not plain text) is sent via WCF and a bool is returned. From here, how do/should I ensure that this login is associated with each of the users subsequent requests. i.e. user logs in, and then requests a list of all their customers with current outstanding balance. I can't use their domid anymore because what's stopping a smart user changing it in the request? Is their some kind of session handling that i can use? if their is, is this functionality usable by non .net frameworks (like java script or iOS for example).
to date all access has been via a remote desktop connection to a server, which then has the software installed on it and make direct sql requests. What I want to do it to replace this with a WCF interface which handles all the authentication and data retrieval but don't understand/know now to get some form of state-full session handling in place. I've been trying to look for information somewhere but as you might be able to tell from the wording of my question, I don't really know what terminology to use to try and find what i'm looking for.
Or, am I going about this all wrong. Should I look at changing the way the whole thing works, change the Database to something different like different schema's for each tenant instead. My understanding is that it would remove some of the security issues but still doesn't fix my session issue.
Any points or resources anybody can point me to would be most helpful. Also, if anybody has done this before I'd love to hear how you did it.