February 4, 2011 at 2:21 am
Hi,
We want to ensure that connections to a database with a particular account, are ONLY made via the client application. I've started to look at the logon trigger and I can query the connection data such as Application name and only allow the connection if it is the client application name and if ORIGINAL_LOGIN() is the particular account the application uses.
However, I know this is can be easily spoofed, so ideally I wanted to encrypt some data in the application and send it in the connection string, the logon trigger can decrypt it and verify that the session has come from the client application.
I know a connection has the CONTEXT_INFO data, but I can only see references to this being set on the server using SET_CONTEXT info, is it possible to set this in the connection string from the client?
If not is there anyway to "tag" some connection data in the connection string? I know I could send it in some other fields, such as the Workstation field etc, but this is far from ideal.
Thanks for any help
February 4, 2011 at 2:41 am
I dont know much about it, but got sent this link the other day:
http://jasondentler.com/blog/2010/01/exploiting-context_info-for-fun-and-audit
hopefully its of some help to you....
February 4, 2011 at 3:10 am
Thanks - but what I ideally want to do is verify the requested connection entirely in the logon trigger. If the connection is not valid, I will simply do a rollback.
The key to making this process secure is passing encrypted data up from the client application. The trigger can then interpet this and decide if the connection is legal. I know the CONTEXT_INFO data is associated with each connection, but can it be set from the client some how? This would have to be before the connection has opened, so the only chance I guss is the connection string. But I can't see any property of a connection string that will set the context_info for the connection.
Does anybody have an idea?
Cheers
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply