Dear Gurus,
Would appreciate some guidance how best to go around creating a secure login form for SQL server authentication (non windows based authentication for now). I have gotten the form working fine (Application is winforms based) but would like to store the credentials supplied by the user (Username & password) dynamically and securely in memory to dynamically build the connection strings as needed without having to re ask the end user to supply the credentials.
Till now I have the following possible scenarios that may work:
Pass the values of the two text boxes to the constructor of the main application screen and store the values in memory ( have some concerns re run time attacks )
After some research the Securestring function seemed very interesting to store the password value in a encrypted format but I got a bit confused on how to actually use it ( decrypt the string and deploy that value in the connection string)
Any assistance with the above is greatly appriciated
However, if you can't use Windows Authentication only then I'm assuming your SQL Server is configured to use Mixed Mode Authentication.
Is your application using a dedicated account to connect to SQL Server and your App users multiple user IDs stored in a SQL table?
If so, then you could perhaps create some host lookup table that SQL Server checks after a user logins for the first time:
1. If host is not found force login using authorize user lookup table.
2. Store host info after successful login.
3. Future visits would validate user against host table.
4. If authorized then allow access and skip password requirement.
You can obtain connecting client information using something like the following:
Open in new window