[AccessD] Access Security - Web Based ASP

Mitsules, Mark S. (Newport News) Mark.Mitsules at ngc.com
Mon Jan 12 13:44:36 CST 2004 

Erwin, Drew, et. al. or et. aliae.,

Since my application will reside on our company intranet, I've been looking
into using Integrated Windows Authentication.  I've yet to submit the
request to have this implemented...I need to clarify a few things.  If I'm
reading this correctly, when an ASP page is requested, the "actual" LAN
username and password are not sent...merely a hash.  I can understand about
the password, but the reason I'm going through this in the first place is to
determine the actual user.  I was hoping that this method would provide me
with their LAN login name so that I can filter the available records and
return only the user's records.  Since I can not test this out, I was hoping
someone can verify...with Integrated Windows Authentication in place, can I
retrieve the LAN login name through an ASP page and use that as a parameter
for a stored procedure?

In other words, once they are on the LAN they can access my data, but I want
to make sure they access only THEIR data.  Is this possible?

Mark

-----Original Message-----
From: Erwin Craps - IT Helps [mailto:Erwin.Craps at ithelps.be] 
Sent: Friday, January 09, 2004 4:45 PM
To: Access Developers discussion and problem solving
Subject: RE: [AccessD] Access Security - Web Based ASP


I have a small little trick I used for same reasons.
I'm using a seperate MDB file which has linked tables to the backend
database. Only the tables I really need are in the WEB database. If it ain't
there you can get in....

But I supose that you the data of the people are all in the same table.

You need a password system to login via the web, these user/password are
stored in a table in your db. When a correct match you store the ID of the
person into the session.

If you build SQL string than you always use the persons ID stored in the
session. So don't use any parameters with the URL string for person
identification.

You should be reasonably safe with that, but not 100%, you never are 100%
safe....

Erwin





-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Mitsules, Mark S.
(Newport News)
Sent: Friday, January 09, 2004 10:33 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] Access Security - Web Based ASP

Thanks.  I will research Integrated Windows Authentication as an option.


Mark


-----Original Message-----
From: DWUTKA at marlow.com [mailto:DWUTKA at marlow.com]
Sent: Friday, January 09, 2004 4:06 PM
To: accessd at databaseadvisors.com
Subject: RE: [AccessD] Access Security - Web Based ASP


With ASP, you can get the users logged in account, either with Integrated
Windows Authentication, or plain text password.  No need to have security on
the db itself, if you don't put it into a directory 'visible' from the web.

Drew

-----Original Message-----
From: Mitsules, Mark S. (Newport News) [mailto:Mark.Mitsules at ngc.com]
Sent: Friday, January 09, 2004 2:40 PM
To: '[AccessD]'
Subject: [AccessD] Access Security - Web Based ASP


I have an existing .mdb "protected" only by an API call to
GetUserName...very limited access.  It contains time charging data for the
entire department ("company confidential...need to know" type stuff).

In the simplest of terms, what is the minimum necessary to achieve the
following scenario?  I would like a user to be able to access ONLY THEIR
time charging data through a web page interface.  Are there alternatives?


Mark
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list