So, in my application, I present the user with a login form on load. They supply a username/password (into two textboxes, txtUserID and txtPassword) which is then compared via md5 against a database, and when a match returns (correct password), the app sets a setting (my.settings.userID) to whatever value was typed in the first textbox(txtUserID).
I have some forms I want to restrict, like user management, user analysis/statistics, which will each have their own form. In order to designate access to these forms, I have created a true/false indicator in my database for whether or not a user is named "Admin". For these forms I wish to be more secure, my intention was to pass the "my.settings.userID" as a parameter and query for the Admin value (boolean true or false) then either give or deny access (or even show/hide these areas on the main form workspace). I think the problem with this thought is that potentially after logging in, a user could modify the value for "my.settings.userID" in the user settings file, to that of someone who is an admin, if they could figure that out, effectively "tricking" the system into thinking they have access.
How should I detect admin access? Perhaps daily generating a salted MD5 hash of user ID & date into the DB upon login and adding this to the user settings as well? Or is this going a bit overboard? Is there a better way of doing this, or essentially defining an "admin" session in my app?
I have some forms I want to restrict, like user management, user analysis/statistics, which will each have their own form. In order to designate access to these forms, I have created a true/false indicator in my database for whether or not a user is named "Admin". For these forms I wish to be more secure, my intention was to pass the "my.settings.userID" as a parameter and query for the Admin value (boolean true or false) then either give or deny access (or even show/hide these areas on the main form workspace). I think the problem with this thought is that potentially after logging in, a user could modify the value for "my.settings.userID" in the user settings file, to that of someone who is an admin, if they could figure that out, effectively "tricking" the system into thinking they have access.
How should I detect admin access? Perhaps daily generating a salted MD5 hash of user ID & date into the DB upon login and adding this to the user settings as well? Or is this going a bit overboard? Is there a better way of doing this, or essentially defining an "admin" session in my app?