Sql server SQL Server存储过程无法正确设置上下文信息
这让我快发疯了。My.NET应用程序调用存储过程从数据库检索存储的哈希密码:Sql server SQL Server存储过程无法正确设置上下文信息,sql-server,vb.net-2010,Sql Server,Vb.net 2010,这让我快发疯了。My.NET应用程序调用存储过程从数据库检索存储的哈希密码: ALTER PROCEDURE [dbo].[sGetHashedPW] -- Add the parameters for the stored procedure here @UserName varchar(32) = N'' AS DECLARE @ContextInfo varbinary(128) BEGIN SET NOCOUNT ON; --Set Context I
ALTER PROCEDURE [dbo].[sGetHashedPW]
-- Add the parameters for the stored procedure here
@UserName varchar(32) = N''
AS
DECLARE @ContextInfo varbinary(128)
BEGIN
SET NOCOUNT ON;
--Set Context Info for this session to Username requested
SELECT @ContextInfo = CAST(@Username AS varbinary(128));
SET CONTEXT_INFO @ContextInfo;
--Return Hashed User Password to Application
SELECT TOP 1 [Password] as PWHash FROM [dbo].[vSecurity] WHERE [UserName] = @UserName;
END
应用程序验证密码并运行第二个存储过程,该过程在会话
表中创建一行,向应用程序返回字符串(GUID),并将上下文信息
设置为字符串的值
现在,只要应用程序打开一个连接,它就会调用sSessionStart
,并传递在登录过程中收到的字符串。如果连接在新会话中打开,proc应将CONTEXT\u INFO
设置为传递的验证字符串值:
ALTER PROCEDURE [dbo].[sStartSession]
@token varchar(128)=NULL
AS
DECLARE @GUID uniqueidentifier
BEGIN
SET NOCOUNT ON;
IF @token IS NULL --Token not passed from the application
BEGIN
BEGIN TRANSACTION;
BEGIN TRY
SELECT @GUID = personnel_token
FROM t300_Personnel INNER JOIN vSecurity ON t300_Personnel.personnel_user_name = vSecurity.UserName
WHERE personnel_user_name = CAST(CONTEXT_INFO() as varchar(128));
SET @GUID = ISNULL(@GUID,NewID());
INSERT INTO dbo.t900_UserSession
(session_token,session_dbuser,session_id)
OUTPUT CAST(@GUID as varchar(128))
SELECT @GUID, [DB_User], @@SPID
FROM t300_Personnel INNER JOIN
vSecurity ON t300_Personnel.personnel_user_name = vSecurity.UserName
WHERE [UserName] = CAST(CONTEXT_INFO() as varchar(128));
UPDATE dbo.t300_Personnel SET [personnel_token]= @GUID
WHERE [personnel_user_name] = CAST(CONTEXT_INFO() as varchar(128));
--Change Context Info to the GUID
SET CONTEXT_INFO @GUID;
END TRY
BEGIN CATCH
IF @@TRANCOUNT > 0
ROLLBACK TRANSACTION;
THROW 51000, N'Session could not be opened',1;
END CATCH
IF @@TRANCOUNT > 0
COMMIT TRANSACTION;
END
ELSE --Token was passed from the application
BEGIN
BEGIN TRY
SELECT @GUID = CAST(@token as uniqueidentifier);
INSERT INTO dbo.t900_UserSession
(session_token,session_dbuser,session_id)
SELECT @GUID, DB_User, @@SPID
FROM t300_Personnel INNER JOIN
vSecurity ON t300_Personnel.personnel_user_name = vSecurity.UserName
WHERE personnel_token = @GUID;
IF (@@ROWCOUNT = 0) --Insert failed due to invalid token
SELECT CAST('INVALID TOKEN' as varchar(128));
ELSE --New session was created
BEGIN
SET CONTEXT_INFO @GUID;
SELECT CAST(@GUID as varchar(128));
END
END TRY
BEGIN CATCH
IF (ERROR_NUMBER() = 2627) --Token is valid but session already exists
SELECT CAST(@GUID as varchar(128));
ELSE
THROW;
END CATCH
END
END
当我在SSMS查询会话中模拟它时,一切都很好。应用程序遇到问题
第一部分很好:
Public Sub Authenticate(username As String, password As String, connString As String)
Using oConn As New SqlConnection(connString)
'Check that connection exists and is open
oConn.Open()
If oConn.State = ConnectionState.Open Then
Dim sqlCmd As New SqlCommand("EXEC dbo.sGetHashedPW N'" & username & "'", oConn)
_pwhash = sqlCmd.ExecuteScalar
_authenticated = EncryptHash.VerifyHash(password, "SHA512", _pwhash)
If _authenticated Then
_username = username
_connString = oConn.ConnectionString
sqlCmd.CommandText = "EXEC dbo.sStartSession"
_hashToken = sqlCmd.ExecuteScalar
Else
clearVariables()
End If
End If
End Using
End Sub
在这一点上,一切都很好,CONTEXT\u INFO
在这两个过程中都设置正确。连接现在已关闭,但应用程序具有从sStartSession
过程返回的验证字符串
打开表单时,将创建并打开SqlConnection
。表单运行sStartSession
,传递字符串参数:
Private Sub frmPersonnel_Load(sender As System.Object, e As System.EventArgs) Handles MyBase.Load
Me.MdiParent = frmMain
'Open the form's connection and ensure the database session is logged
oCN = New SqlConnection(currentUser.ConnectionString)
oCN.Open()
Dim sqlCmd As New SqlCommand("EXEC dbo.sStartSession '" & currentUser.Token & "'", oCN)
Dim sResult = sqlCmd.ExecuteScalar
有趣的是sResult
按预期返回字符串,但CONTEXT\u INFO
立即设置为0x00000:
SELECT
[session_id], [context_info],
CAST([context_info] as uniqueidentifier) as Context,
CAST([context_info] as varchar(128)) as Context2,
[program_name]
FROM
sys.dm_exec_sessions
WHERE
[program_name] = 'this application'
啊 简单的答案是所有权链接。在测试存储的进程时,我作为SA登录到SSMS。我在SSMS会话下模拟了登录,一切正常。使用安全配置文件非常有限的应用程序登录是出现问题的地方。最后,应用程序在一个函数上缺少执行权限:(为什么不使用SELECT CONTEXT_INFO(),就像CONTEXT_INFO()是特定于会话的一样,因此我无法从SSMS使用CONTEXT_INFO()查看应用程序会话的上下文信息在做什么)我将更改vb代码,使其使用参数来防止SQL注入。请参阅并正确地将命令包装在“using”语句中。