Msg#: 1117 posted 10:13 pm on Oct 15, 2001 (gmt 0)
Currently on our intranet site, we are being authenticated by Windows NT servers. But we want our users be authenticated by SQL server for intrant pages access. I would like to capture SQL server user names and store them in our log files whenever an update is done.
Further, I would like to display only those pages\hyperlinks where users have explicit premissions (I mean NOT NT file permissions but SQL). How this can be done. I have seen many web site where you can see some extra important hyperlinks if you pay them for that extra service. How to do this?
Any link or codes available with someone to help me on this issue please.
You need to use entirely ASP processed pages. At the top of each page, you need to check a session variable. If it is not set, then redirect to a login page, with the url of the page it is coming from in the querystring. In the login page, merely ask for a username and password. Use the username and password to log into SQL Server. If that succeeds, set the session variable, and redirect back to the original page that was set by the query string.
You must have sessions turned on for this to work. Sessions do not make scalable web sites. The user must also have cookies turned on for this to work.
This technique can be broken by someone very technically savvy, but is secure enough for most purposes.
I wrote about how to make ASP scripts work in .htm or .html pages in this thread: [webmasterworld.com...]
If using Windows NT Challenge/Response you may be able to leverage integrated security within SQL Server. The logins can be matched to NT usernames and groups, which will also help centralize user maintenance.
The physical pages would be protected through file permissions, and any delivery from the database could be governed by their matched SQL Server login. You might check the SQL Server books on line (BOL) for details about column permissions and vertical/horizontal data partitioning.