April 19, 2004 at 2:26 am
I have a question regarding user accounts. At present I have two databases set up in SQL Server 2000 SP3a which are accessed by two ASP websites.
I have set up a user called 'webuser' to access the database. The databases are called DB1 and DB2. The webuser has a default database of DB1.
The asp website's connection strings uses the 'webuser' login to log in.
I changed the password for the 'webuser' account in SQL Server yesterday and accidentily accessed the website that used the DB2 database and it gave me access! Horrified, I accessed teh DB1 website and I was rightfully denied access.
Why did the DB2 database allow me to access the database still?
Note that there are three users available on each of the databases: dbo, guest and webuser.
Incidentally, should I remove the guest user?
Forgive my ignorance, but I'm just learning!
April 20, 2004 at 4:01 am
AFAIK that should definitely not happen - especially between two databases on the same server. I use a similar user for my web apps to access their databases and this has never happened. Have you got the latest service pack installed?
I think however this is more likely to be a browser issue - could it be simply that your browser is not checking for newer versions of stored pages? In Internet Explorer, do Tools > Internet Options... then under Temporary Internet Files on the first (General) tab click the Settings... button and under "Check for newer versions of stored pages:" make sure "Every visit to the page" is selected.
If it is not then I would bet anything this is the cause; select it (this should always be selected for data-centric web applications). This one's caught me out on a ridiculous number of occasions.
April 20, 2004 at 7:24 am
Unless you have an explicit need for guest, you should sp_revokedbaccess it from the databases in question. If someone doesn't have a valid user in a given database and the guest account is enabled, they will be mapped to the guest user. BTW, even if guest is disabled, it'll still appear in the sysusers table (should have hasdbaccess = 0, though). That's expected.
K. Brian Kelley
@kbriankelley
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply