Asp.net SQL Server user impersonation

Question

I wonder if somebody could point me in the right direction. We're currently looking to update an ASP.NET application that uses SQL Server 2005 for its db. We need to provide robust and consistent functionality that prevents certain users creating, updating, deleting certain records from the database.

Unfortunately, the application isn't written using OO concepts, instead favouring many data access stored procedures called directly from the web page code behind files. Due to the sheer amount of stored procedures we'd prefer to investigate database triggers to implement our security.

The question is; is it possible for the db trigger to be aware of the specific application user (managed using custom user account tables in the db) which executed the sp? All we'd need is an id. The connection string used to connect to the db is identical for all users (taken from the web.config), is there a way for the connection to some how either impersonate a user, or set a specific variable accessible to the trigger?

Answer 1

If the application uses a SqlConnection to 'login' the user and then performs the data access/updates using the very same SqlConnection then you can use CONTEXT_INFO() . Set the context in the 'login' procedure, then check it in the data access/update procedure(s). See Using Session Context Information .

But if the application uses a SqlConnection to 'login', caches the result (perhaps in a cookie or in the ASP session state), and then uses a different SqlConnection to access data then there is no way access the needed login information w/o application support. If you can locate all the places where SqlConnection objects are created and refactor it to use the factory pattern then you can augment each connection open with a call to set the context info before returning it to the caller for use and that would also work, with minimal application changes.