|
Posted by Nick Stansbury on 11/01/05 11:29
Hi,
I have a question regarding host_name() and IP addresses of clients. I'm
running on a shared server - so access to xp_cmdshell is barred which is the
standard response to questions about getting the IP address of a client from
sql server. My issue is this:
For security reasons every user of our database system logs into our custom
security system all under the *same* sql-server user name (who only has
access to a discrete set of stored procedures). This can't be changed as we
are limited to 3 database users. I store the host_name that the user log's
in from when he logs in - and then check the host_name of any further calls
to sp's under this login context. I have however just discovered that
host_name() is set in the connection string - so the client can pass pretty
much whatever he wants to - so all an imposter would have to do is *fake*
the client name of an existing user. Is there anyway of detecting the *real*
client's host? Is there any way of forcing a client to be limited to just
one client machine? Can I get hold of the IP address in a reliable way?
Thanks
Nick
Navigation:
[Reply to this message]
|