What ?! ohh.... man, you are THE web programmer



  •     Hi there !
    Here is my first short story. Be careful it's a real one.
    I'm currently in a 'co-op' / internship work in Canada, in a big company. I mean, this company is like 40000 people all over the world.

        Working on a data storage system, a centralized one.. Currently, the company uses ERP (sap AND peoplesoft), private systems, etc... The goal is to make one for all. The frontend is a website in dotnet, the data is in a SQL Server.

        We are 2 in the coding team of the project. I came to help with that. I joined this one-guy team, and the man started to code the login system on the website. You know ? The thing which is so simple to make (login/password) in the front and backends.

        So... a day, this man told me :

    him : "ok guy, i am going to learn you something. We are making a login system on our website. I need some help because i don't really remember how to do that. You know, i'm a really good webmaster, but hey... i don't have any access to my school intranet (for courses) from here so..."

    me : "oh yes learn me, please...how to make a secure login on a website ?"

    him : "ok man. So, now, we got approx 40k people and we have to make their account in the data storage website."

    me : "yes yes i know man..."

    him : "ok. Let's start making 40k user account in the SQL server."

    me : "ok. just do it, you've got a great idea".



  • your conversation doesn't even make sense, I fear for the users of your code



  • hmmm :p are you talking about my english or about the meaning of what i said with him ?
    If you have not understood, (because of my english, excuse me), this guy wants to make about 40k user account in the SQL server, (not in a table !), and wants the website to connect to the database with these user accounts (instead of one account for the website connection, and a table with 40k rows in it).

    If my conversation with this man seems strange, it's perhaps because i talk to this man like if this man was owning THE knowledge...i love that when i hear things like that...



  • @enjoyaol said:

    hmmm :p are you talking about my english or about the meaning of what i said with him ?
    If
    you have not understood, (because of my english, excuse me), this guy
    wants to make about 40k user account in the SQL server, (not in a table
    !), and wants the website to connect to the database with these user
    accounts (instead of one account for the website connection, and a
    table with 40k rows in it).

    If my conversation with this man
    seems strange, it's perhaps because i talk to this man like if this man
    was owning THE knowledge...i love that when i hear things like that...
    <font face="Arial">

    Aha...now I get it...making all those accounts should be fun.  Or
    is there some way to automate it?  I'm no SQL server guru.</font>



  • Eric
    Say you have 40k people in a country. You are the man responsible for the mail system in this country.
    Would you prefer hiring 40k Post employees, one for each citizen,  or buying 40k mailbox, one for each citizen, and 200 Post employees ?



  • Is there any limit in SQL Server that prevents you from creating 40K accounts?
    Because... if not, and if it doesn't hurt in terms of performance, what's the advantage of a home-brew user management?



  • If you have 40k accounts and each user connects to the database with their own account, than your losing one of the big advantages of a web app - that being connection pooling.  Not to mention your users now have another set of credentials to remember, so the sticky under the keyboard/on the monitor gets longer.

    I would investigate integrated windows authentication with no impersonation.  This gives you the ability to control access via ACLs but the database connection can still be made via a service account.  You get the best of both worlds.



  • I assume you are not a native speaker of English. I'm going to try to clear up that conversation you quoted, to make it a bit easier to understand the WTF.

    @enjoyaol said:

    him: "OK new guy, I'm going to teach you something. I am making a login system for our website, and I need some help because I don't remember how. I'm a really good webmaster, but I don't have access to my school's class materials from here

    me: "So, how you would make a secure website login?"

    him: "Well, we're going to have about 40k users, and their information must be stored in the database, right?"

    me: "Yes, yes, I know that already"

    him: "Well, let's start by creating 40k SQL server accounts"

    me: "Err, that's a great idea, I think you should do it"



  • OK, since you seem to be Microsoft-based (SQL Server, .Net frontend), I would assume that all of your internal users already have Domain logins, so I would recommend:

    1.  In IIS, right-click on the virtual folder, choose Properties, directory security, edit, disable anon login.
    2.  In ASP.Net for that virtual folder, use User.Identity.Name to get the account name

    Now whenever someone connects to your system, they are greeted by a very secure-looking standardized windows login box, and you don't have to worry at all about authenticating your own logins and stuff.

    (BTW these steps might not be 100% accurate but you get my point)



  • @ammoQ said:

    Is there any limit in SQL Server that prevents you from creating 40K accounts?
    Because... if not, and if it doesn't hurt in terms of performance, what's the advantage of a home-brew user management?


    erm,

    • It wouldn't integrate with active directory/LDAP
    • It pisses on the whole concept of using a relational database for storage
    • The only way to verify the username and password is to try and open a connection to the server with that user/pass catch the exception if one is thrown, relying on exceptions for logic flow isn't the best idea
    • The users would actually be able to make their own connection to the SQL Server
    • SQL Server user accounts weren't designed for this purpose, at all



  • @Albatross said:

    OK, since you seem to be Microsoft-based (SQL Server, .Net frontend), I would assume that all of your internal users already have Domain logins, so I would recommend:



    Well, he said that they have 40,000 users world-wide, so I doubt very much that they have a single domain. For an all-Windows shop with a suitably configured corporate network, your idea certainly makes sense. I don't think it's going to be workable in this case, however.



  • is there no existing ldap system floating around in the 40000 strong organisation?



  • albatross are you speaking about NTLM ?
    Can't use that, it's 'quite' only IE. Ok with some tricks you can do it working with some other browser but. My answer is not :)



  • oh, crap.  Now I get it.  Yes, creating them as actual SQL user accounts is definitely "brillant"


Log in to reply