Posted by Erland Sommarskog on 11/02/05 00:39

Nick Stansbury (nick.stansbury@sage-removepartners.com) writes:
> 1) Client tool (either web system or windows system) logs into DB and
> opens connection
> 2) User logins in (using our LOGIN sp) to database - passing a small
> part of his password (like a bank login syste)
> 3) The Stored Procedure records the IP address of the request, and then
> allocates this IP address and user with a unique KEY (a GUID) and
> returns it to the client
> 4) In every additional request made by this user the "Key" is passed
> back to the database - and the IP address of the requesting machine is
> then checked against the IP address stored in the table - if there is a
> discrepancy the request fails and the key is "deactivated" permanently.
>
> But obviously for this to work i need to reliably get the IP address of
> each request - *not* just the host_name (because it seems like you can
> basically make that up however you want!)

I will have to admit that when it comes to web sites, I am in foreign
territory. But it sounds to me as if the users are directly connected
to the database. I thought the normal procedure was that the web server
worked as the middle-man. In this case, the web server have the information
about IP-adresses. And if the web service connects to the database, it
can pass that information in the connection string, and you can use
host_name() as the web server can be regarded as reliable. (But of course
you can spoof your IP address if you want to.)


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinfo/productdoc/2000/books.asp

[Back to original message]