DWUTKA at marlow.com
DWUTKA at marlow.com
Mon Jan 12 14:22:36 CST 2004
AUTH_USER -----Original Message----- From: Mitsules, Mark S. (Newport News) [mailto:Mark.Mitsules at ngc.com] Sent: Monday, January 12, 2004 1:50 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] Access Security - Web Based ASP Oops...forgot to ask...If I can retrieve the LAN login name, which server variable would it be? Mark -----Original Message----- From: Mitsules, Mark S. (Newport News) [mailto:Mark.Mitsules at ngc.com] Sent: Monday, January 12, 2004 2:45 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] Access Security - Web Based ASP Erwin, Drew, et. al. or et. aliae., Since my application will reside on our company intranet, I've been looking into using Integrated Windows Authentication. I've yet to submit the request to have this implemented...I need to clarify a few things. If I'm reading this correctly, when an ASP page is requested, the "actual" LAN username and password are not sent...merely a hash. I can understand about the password, but the reason I'm going through this in the first place is to determine the actual user. I was hoping that this method would provide me with their LAN login name so that I can filter the available records and return only the user's records. Since I can not test this out, I was hoping someone can verify...with Integrated Windows Authentication in place, can I retrieve the LAN login name through an ASP page and use that as a parameter for a stored procedure? In other words, once they are on the LAN they can access my data, but I want to make sure they access only THEIR data. Is this possible? Mark -----Original Message----- From: Erwin Craps - IT Helps [mailto:Erwin.Craps at ithelps.be] Sent: Friday, January 09, 2004 4:45 PM To: Access Developers discussion and problem solving Subject: RE: [AccessD] Access Security - Web Based ASP I have a small little trick I used for same reasons. I'm using a seperate MDB file which has linked tables to the backend database. Only the tables I really need are in the WEB database. If it ain't there you can get in.... But I supose that you the data of the people are all in the same table. You need a password system to login via the web, these user/password are stored in a table in your db. When a correct match you store the ID of the person into the session. If you build SQL string than you always use the persons ID stored in the session. So don't use any parameters with the URL string for person identification. You should be reasonably safe with that, but not 100%, you never are 100% safe.... Erwin -----Original Message----- From: accessd-bounces at databaseadvisors.com [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Mitsules, Mark S. (Newport News) Sent: Friday, January 09, 2004 10:33 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] Access Security - Web Based ASP Thanks. I will research Integrated Windows Authentication as an option. Mark -----Original Message----- From: DWUTKA at marlow.com [mailto:DWUTKA at marlow.com] Sent: Friday, January 09, 2004 4:06 PM To: accessd at databaseadvisors.com Subject: RE: [AccessD] Access Security - Web Based ASP With ASP, you can get the users logged in account, either with Integrated Windows Authentication, or plain text password. No need to have security on the db itself, if you don't put it into a directory 'visible' from the web. Drew -----Original Message----- From: Mitsules, Mark S. (Newport News) [mailto:Mark.Mitsules at ngc.com] Sent: Friday, January 09, 2004 2:40 PM To: '[AccessD]' Subject: [AccessD] Access Security - Web Based ASP I have an existing .mdb "protected" only by an API call to GetUserName...very limited access. It contains time charging data for the entire department ("company confidential...need to know" type stuff). In the simplest of terms, what is the minimum necessary to achieve the following scenario? I would like a user to be able to access ONLY THEIR time charging data through a web page interface. Are there alternatives? Mark _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com