PDA

View Full Version : Dababase Login dialog



Clive Richmond
11-Jan-2017, 01:50 AM
Probably already on your to-do list but just in case ....

10562

DbExplorer

10563

Vincent Oorsprong
11-Jan-2017, 03:15 AM
Clive,

What is the question/case/issue?

If it is the "remember me"; Database Explorer should not have this option.

Marco
11-Jan-2017, 04:32 AM
Why not?
Assuming it is saved encrypted in the user reg, it looks like a perfectly fine option.
It's not like when you have dataflex tables it will be more protected right?

Clive Richmond
11-Jan-2017, 05:49 AM
Hi Vincent,


If it is the "remember me"; Database Explorer should not have this option.

Correct. What is the reason why it shouldn't?

Samuel Pizarro
11-Jan-2017, 06:02 AM
Security?

wrong personnel being able to access the real table data?

Marco
11-Jan-2017, 06:42 AM
Wrong personel should not have credentials that allow them to do wrong things...

Clive Richmond
11-Jan-2017, 08:43 AM
Hi Samuel,


Security?

wrong personnel being able to access the real table data?

In the development environment my expectation is anything to do with the connectivity, functionality or usability, will be consistent in all the tools I might use.

Deployment is different and personally I wouldn’t want to see this dialog popping up in the first place. It would indicate to me that our application was not installed / setup correctly.

I have already suggested something in this post (http://support.dataaccess.com/Forums/showthread.php?60156-DbExplorer-amp-Database-Drop-Down-Menu-Deployment)but I notice that the new cConnection class has a property called pbLoginDialogRequired. Perhaps this should be exposed as a flag in DbExplorer’s configuration?

Samuel Pizarro
11-Jan-2017, 09:55 AM
That's a good approach Clive!

Vincent Oorsprong
12-Jan-2017, 07:09 AM
Database Explorer can be used in development and deployment environments. If it is used in an development environment you should have the password saved in dfconnid.ini and database explorer will not ask you to login. If you don't like the password to be saved though the DataFlex Studio you would uncheck the "remember me" and you need to enter username/password every time you load a workspace in the DataFlex Studio. If you would have a remember me in Database Explorer you would save the entered password in dfconnid.ini and then the Studio would never ask. So if you at development don't want to save a password DataFlex explorer should not give you the option to save it anyway. BUT, more important, if Database Explorer is used in deployment environment and there was a 'remember me' option you could breach security and allow anyone to access the database through Database Explorer. Entering the password each time requires you to know the Database password and if you don't know it you cannot access the database. If you don't know the password of - for example - Microsoft SQL Management Studio you cannot browse, edit etc too. The DataFlex tools should not be accused for allowing people to get into data if not anyone should be allowed to get there.

Clive Richmond
18-Jan-2017, 04:35 AM
Hi Vincent,

Thanks for your reply. However I am not convinced by the arguments you’ve put forward except to agree there is a difference between using the tools in development versus deployment.

Development. You’ve made the assumption you know how I use the development tools. If I arrive at my desk in the morning and the first thing I want to do is check something I was thinking about earlier, I run up database explorer, via the shortcut on my desktop, and I am greeted by the database login. Tom starts earlier than me and I know he was going to look at an issue we were discussing the day before with the SQL database, that we share for testing, concerning authentication. Now Tom sits around the corner so I bellow across the room for the new password which he duly obliges. My workflow was suspended while I retrieved the password. Now it’s going to be interrupted. Do I carry on, and save the password later, or do I quit, load the Studio, and do it now? This is just one scenario but I could probably muster up a dozen more. In event driven programming it’s me that should be determining my next action not the tools, so I see no reason why I shouldn’t be allowed to save the password here.

Deployment. No doubt opinions here will range from one extreme to the other and anything in between. I think there are currently some decent provisions to prevent a ‘breach of security’ from the client installer skipping installation, and flags such as open tables readonly, toggle read/write, skip protected columns to name a few, plus you could have a custom workspace and filelist. With introduction of Managed SQL Connections I think there is an opportunity to do more. As I’ve mentioned elsewhere in this thread I wouldn’t want to see this dialog. For our application, this would be considered a configuration error. If the dialog does remain I certainly don’t want to see options for either a remember password or a trusted connection.


The DataFlex tools should not be accused for allowing people to get into data if not anyone should be allowed to get there.

You can lead a horse to water but you can’t make him drink.