I'm trying to design a Web-based application that requires manual user authentication based against security values for users located in a SQL table. In other words, the user starts from a login page, enters their username/password, and then a WQS agent connects to the SQL table and checks to see whether the user exists. If the user exists, and their security fields permit it, they are taken to a Welcome page, where the user can generate various reports from forms in the target database with other agents. If they don't authenticate, they are re-directed back to the login form with a message that their username/password is incorrect.
However, there is a very big hole in my solution: anyone can type a URL that accesses a particular form or agent in my target database (e.g. "http://myserver/targetDB/RestrictedForm?OpenForm¶m1=ABC
" or "http://myserver/targetDB/RestrictedAgent?OpenAgent¶m1=ABC
" and bypass my security check. How can I modify my forms and agents to block users that haven't gone through my login form and authenticated?
Any suggestions are appreciated!