Hi List!
Thanx for all the help.
I 'll develop in ASP (learning) but i prefer don't use Cookies Is that
possible?
But thanx for the tips
-----Message d'origine-----
De : Joel Nelson [mailto:joelnelson@stripped]
Envoyé : mercredi 6 juin 2001 02:47
À : Ismael Touama
Cc : win32
Objet : Re: Connexion from one user profil
----- Original Message ----- >
Thanks for the help!
>
> But isn't it quite secureless??!!
Well, yes. Maybe. You don't have much choice but to use an alternative
method. There are certainly things you can do. You can run under https.
You can setup up a login name and password and check it against your
own user table. If it all passes you can set a cookie or use sessions to
maintain the validity of the user.
One decent method of maintaining the validity of the user is use an
encryption
scheme for the cookie. One that I have used goes like follows:
First time login - Verify name and password. Create a key based on the
users
member ID, crypted with something like the day of the week to store
in a cookie. Also store their member ID as a cookie.
Next time user accesses something: Get the member ID cookie, encrypt it
with the
secret day of the week and compare it to the key cookie. If it matches then
you
don't have to check the user tables to verify them. If it doesn't match
send them
to the login screen again. Be imaginative on what you use to encrypt the
key and
make sure it changes frequently and also set the expiration on the cookie
for the
shortest time possible.
Anyway, that's one solution. I'm sure other will have more solutions. Good
luck!
Joel
> > It's for a web app.
> > My provider provides me only one user profil in the User table. I
suppose
> > it's the super-user profil.
>
> That should be correct as a provider will usually only give you ONE user
on
> only ONE database.
>
> > In order to permit a client to access the database with the right of
> select,
> > update, insert and delete for the front office (the real web site) and
in
> > order to food the database, modify a state for a command... for each
> person
> > who works in the society (back office), I create two tables: PROFIL +
> > UTILISATEUR (user).
>
> I think this is where you may be confused. Since you don't have access to
> the
> real USER table you cannot create any new users with specific right to the
> database. You can create your on UTILISATEUR table that your code checks
> and then your code must decide what database actions are allowed. But you
> will always access your data base with the one user your provider gave you
> and none other.
>
> > In the UTILISATEUR tables I intend to create a user 'Visitor', password:
> > Visitor, a user Administrator with all privileges, a user operator with
> the
> > privilege only on the ARTICLE products...
>
> As I stated above, all priveleges will have to be handled in your own
code.
>
> > But I don't see the way to assign the rights. I know the command:
> > "GRANT SELECT, INSERT, UPDATE, DELETE ON DB_Install.CLIENT TO
> > Visitor@localhost IDENTIFIED BY password"
>
> As I stated above, I think you'll be understanding by now.
>
> > This instruction is entered from mysql client, but how must I grant a
> > specific profil inner the code ?
> > I repete that I dispose just one user profil into my provider.
> > I maybe don't understand the way a database is built.
>
> Hope this help!!
>
> Joel
>
>
