I’d like to set up an authentication system (log in) for a winforms application. There will be about 500 users or so in remote locations. The database will be a SQL Server accessible via port forwarding thru a firewall. As I’ve read on how to do this I either don’t fully understand the process or there’s a security hole. Here’s the environment summary:
Server accessible over internet:
SQL Server 2014
Several Others readable and writable depending on permissions
Server Database Logins:
AppUserManager, read/write permissions on User Table, read on Logins table
AppUser, read/write on Users table (to change PW every so often), write on Logins, write /read various tables
AppTemp, read user Table
Includes AppTemp credentials in deployment
Includes AppTemp credentials
Open Log In Form
Retrieve User Row (salt, PW Hash, permissions, Encrypted AppUser Credentials) based on what is entered in the User Name Text Box using the AppTemp database user.
Compare PW hash (with salt) to make sure PW is correct
If Correct decrypt AppUser credentials retrieved with the AppTemp and use those to open new connection to DB for operations
I guess what I’m worried about is ‘hardcoding’ the AppTemp connection string as anybody could decompile and have free access to the user table at least, And then could decrypt the AppUser credentials and have free reign….What am I missing in this process to make it secure?
I read about creating a web service or middle tier logic to manage the DB traffic but I have no experience in doing that so would prefer to avoid it if possible.
Thanks for thoughts.