RE: Membership - Database Security

Hi Steven,

Other solution is to change the static nature of the applicationName setting
to be dynamic by writing a very basic derived provider. we can see that in
the book "Professional ASP.NET 2.0 Security, Membership, and Role Management"
- Stefan Schackow. Great book !! :p

I understand both the solutions but in my opinion and because of that
“security problem” should exist another parameter field to avoid that kind of
solutions. For example, MSFT could create one parameter field
“applicationMembershipKey” that should have one character password or
something like that. That additional parameter will avoid all that kind of
solutions.

Example:

<add name="AspNetSqlMembershipProvider" applicationName="/Site1"
applicationMembershipKey=”as548965d”….. />


Thanks again for your help :p

Best regards,
Ricardo Figueira (rbfigueira)


"Steven Cheng[MSFT]" wrote:

Hello Rbfigueira,

From your description, you have multiple ASP.NET 2.0 Web appliations that
will use membership/role services to secure themselves. However, you're
wondering whether it is proper to store these applications's
membership/role data in a shared database or separately, correct?

I think your analysis about the shared database condition is reasonable.
Yes, if we configure multiple ASP.NET 2.0 application's membership provider
to use the same shared database, each SqlMembershipProvider should use a
different "ApplicationName" so that their data can be identified correctly.
Also, your worry is correct that if another new application join and also
use the same membership database and incorrectly configure with an
"ApplicationName" duplicated to another existing application, it will use
the existing membership data of that application incorrectly.

For such scenario, I think you can consider the following solution:

1. Still configure multiple ASP.NET applications to use the shared
membership database, however, you make the user/roles management (insert,
update...) in a separate admin application so that the membership data can
only be modified through that admin web application(connect to sql through
a particular login with powerful permission). And for normal web
application, the windows security identity or sql login(if you use sql
connection in connectionstring) only has read-only permission( this is
necessary for application's membership/role validation and querying ...).

2. Use separate database for each web application, this will completely
prevent application's data being corrupted though it may add data storage
overhead.

How do you think? Please feel free to let me know if you have any other
questions or ideas on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.






.

Relevant Pages

  • RE: Membership.ApplicationName and thread safety.
    ... requests executing concurrently and attempting to set the ApplicationName ... multiple writes, and changing the ApplicationName property value can result ... that manages membership data for multiple applications. ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Membership - Database Security
    ... I think your analysis about the shared database condition is reasonable. ... if we configure multiple ASP.NET 2.0 application's membership provider ... the existing membership data of that application incorrectly. ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • some depressed features by way of the chinese matrix were closing regarding the definite core
    ... unemployed affection by no means the membership? ... Little by little, yields lean sort of universal pockets, unless they're ... Some instructions maybe support the islamic movie. ... Afif yesterday pays the passion? ...
    (sci.crypt)
  • Re: Bitch Fest
    ... the Association (Scout Fellowship etc)? ... support Scouting but not neccesarily by part of the Movement. ... Officers are now being pushed towards membership. ... my criticism than anyone else on this newsgroup - bar none. ...
    (uk.rec.scouting)
  • Re: Will the US punish Turkey???
    ... Public support for Turkey's bid to join the European Union continues to ... of the scheduled start of membership talks on October 3. ... yet the survey showed a 72 per cent disapproval rating of his handling ...
    (soc.culture.greek)