For the following i'm curious of your thoughts and maybe things I overlook:
I've made a custom login module (design reasons) which I use in the solutions I make. But from the beginning that I use this module security is still in my mind. I've tested several options to "hack" the database but without success.
How it works in short:
- Database is encrypted and File Access is enabled
- I've made a special login user which automatically logs in after opening the database (This user only has permission for the login layout and related scripts & tables)
- In the login layout the application user enters username & password and clicks on the button Login
- If login succeeds the user is brought to the 'home' layout.
Now i've added something new. Because it's a custom solution native auto login isn't possible. I've been thinking of several solutions. Starter file on computer where the user enters there credentials and automatically logs in etc.
But now i've made the following.
- Database opens
- Based on the persistent ID an Execute SQL Select query is run on a table where auto logins are registered to find the persistent ID
- When found it selects the fields of the record Username & Password (encrypted with BaseElements plug-in with AES)
- The username & password are decrypted in combination with the persistent ID
- The solution logs in automatically
I've made this and it works great. But one of my concerns is that the table where all registrations of devices, usernames &passwords is available for the 'login user'.
I thought of the following for this problem:
- Solution opens and Login User 1 automatically logs in (with access to the Auto Login table)
- OnFirstWindowOpen triggers the script and checks AutoLogin table
- No success
- Script automatically logs in with a 2nd Login user which doesn't has access to the auto login table
- User has to login manually