Secure login from ASP page to SQL Server DB

mo wrote:

Sorry I can't be more specific, but....

I'd like to create a secure login from an ASP page to a specific SQL
Server 2000 Db. Is there an accepted methodology for doing this? Are
there any resourses that show how this can be done?

Thanks for any help.

Mo

You'll need to specify what you mean by "secure". Secure from whom? The
average user browsing to the web page? The determined hacker? The
disgruntled employee?

--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

I mean that those trying to login to certain (asp) pages are allowed to do
so only if the credentials they are using (username & password) are
registered on a particular SQL Server 2000 db. I hope this is clear enough.

Thanks

You'll need to specify what you mean by "secure". Secure from whom? The
average user browsing to the web page? The determined hacker? The
disgruntled employee?

--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

http://www.aspfaq.com/show.asp?id=2114

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/

"mo" <m.********@nospam.qmul.ac.uk> wrote in message
news:bm**********@beta.qmul.ac.uk...

I mean that those trying to login to certain (asp) pages are allowed to do
so only if the credentials they are using (username & password) are
registered on a particular SQL Server 2000 db. I hope this is clear enough.
Thanks

You'll need to specify what you mean by "secure". Secure from whom? The
average user browsing to the web page? The determined hacker? The
disgruntled employee?

--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

mo wrote:

I mean that those trying to login to certain (asp) pages are allowed
to do so only if the credentials they are using (username & password)
are registered on a particular SQL Server 2000 db. I hope this is
clear enough.

1. Create a table of users in your sql database. Include columns for user
name, user login, security level, etc.
2. Create a SQL login/password which will be used by your connection strings
in your asp pages.
3. In IIS Mangaer, turn off Anonymous login and enable NT
Challenge/Response.
4. Create an asp page which can be #included in all the pages requiring
security. In that page, get the user's login name from the LOGON_USER
servervariable. Connect to sql using the login/password which were created
above (www.connectionstrings.com - use the OLEDB example: ODBC should be
avoided) and look up the login name in the user table. If it's there, and
the security level is correct (if you are using security levels), then
simply continue. Optionally, set a boolean variable to true if later
processes need to know if the user is approved. Otherwise, redirect to a
NotAuthorized.page.
--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Tom Kaminski [MVP] wrote:

http://www.aspfaq.com/show.asp?id=2114

Damn! I forgot to check the FAQ before wasting all that time writing a
response! grrr
--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

"Bob Barrows" <re******@NOyahoo.SPAMcom> wrote in message
news:Oh****************@TK2MSFTNGP11.phx.gbl...

Tom Kaminski [MVP] wrote:

http://www.aspfaq.com/show.asp?id=2114

Damn! I forgot to check the FAQ before wasting all that time writing a
response! grrr

It's a very nice response though ... ; )

Thanks very much for the help. Sounds a tad complex!

1. Create a table of users in your sql database. Include columns for user
name, user login, security level, etc.
2. Create a SQL login/password which will be used by your connection strings in your asp pages.
3. In IIS Mangaer, turn off Anonymous login and enable NT
Challenge/Response.
4. Create an asp page which can be #included in all the pages requiring
security. In that page, get the user's login name from the LOGON_USER
servervariable. Connect to sql using the login/password which were created
above (www.connectionstrings.com - use the OLEDB example: ODBC should be
avoided) and look up the login name in the user table. If it's there, and
the security level is correct (if you are using security levels), then
simply continue. Optionally, set a boolean variable to true if later
processes need to know if the user is approved. Otherwise, redirect to a
NotAuthorized.page.
--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

mo wrote:

Thanks very much for the help. Sounds a tad complex!

And I did not mention that it's only relevant for an Intranet site. See the
aspfaq article for a solution that's relevant for an internet site.

--
HTH,
Bob Barrows - ASP MVP
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.