Results 1 to 4 of 4
  1. #1
    Join Date
    Jul 2007

    Unanswered: log on question / tracking users

    i have a question about the "proper" way to authenticate users connecting to my oracle database.
    I have a connection string defined in my app.config with the connection information for my oracle db instance. (building a windows forms app)
    within that database, i have a created a USERS table.
    I'm assuming that i would:
    1. connect to the database using the credentials in the app.config.
    2. authenticate the user by presenting the login form and building a select statement against the users table.
    if login fails, i would kill the connection created in step1. if pass, i could continue to use the connection to perform the various tasks provided to the end user via the application.

    I guess i want to confirm that i need to store the generic connection information somewhere to even perform the select statement against the users table, and i also want to ask how i can "track" the users activity in a log / audit table if the connection i'm really using is the "generic" one. I heard that it's easy to track all events in oracle... but i imagine using the scenario above, all activity would be logged under my generic / system account.
    is that correct? if that's so, i guess i need to create my own audit routine that will send along the credentials of the current user.

    i hope my questions make sense.

  2. #2
    Join Date
    Aug 2003
    Where the Surf Meets the Turf @Del Mar, CA
    Provided Answers: 1
    >is that correct? if that's so, i guess i need to create my own audit routine that will send along the credentials of the current user.

    Realize that the end user is really communicating with web/application server; & not the database server in a 3 tier architecture.
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  3. #3
    Join Date
    Jul 2007

    that makes sense...

    thanks for the response.
    i guess i'll create my own audit routine.

  4. #4
    Join Date
    Dec 2003
    We have users coming through Forms, but using the same generic database login (defined in a RAD - Resource Access Descriptor - on our Application Server).

    All of our Forms apps run through a PACKAGE, first thing, which stores that user's OID login in a PACKAGE SPEC variable.

    About a year after we implemented this, we realized that we wanted to track individual users and the database session they were connected to. So, in that same package we added code:

      DBMS_SESSION.SET_IDENTIFIER(<their OID login name>);
    By having them run this procedure, you're setting their name in the CLIENT_IDENTIFIER column of V$SESSION. So now, we can query V$SESSION, and while the USERNAME column shows the generic user account, CLIENT_IDENTIFIER let's us know who is really logged in.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts