Petzy Posted February 10, 2018 Share Posted February 10, 2018 Hello, New to the forum, loving uniGUI so far. Does anyone have a demo/code sample on how to make a login system in uniGUI? I've done it simple with a predetermined user and pass, also learned to setup cookies and so forth I just can't seem to find a demo that shows how to check for the user and password in the database (mysql), preferably the password being encrypted in the database and the application able to handle that. Any help? I'd appreciate it, thanks. Quote Link to comment Share on other sites More sharing options...
Mohammed Nasman Posted February 11, 2018 Share Posted February 11, 2018 Have you looked at the Demo folder, there are two demos: - LoginForm - LoginForm Cookies Now these demos aren't related to authenticate users from database, but it's not hard to change that to check from database, are you using database users, or users stored on table? 1 Quote Link to comment Share on other sites More sharing options...
Petzy Posted February 11, 2018 Author Share Posted February 11, 2018 Have you looked at the Demo folder, there are two demos: - LoginForm - LoginForm Cookies Now these demos aren't related to authenticate users from database, but it's not hard to change that to check from database, are you using database users, or users stored on table? I did notice those yes, they're ideal, just having trouble finding an example on how to do the checks and implement that with encrypted passwords. Still reading on that. I'm using user and passwords saved in a table, they're plaintext at the moment but I'd like to use the password as encrypted somehow, not to save it plaintext. Quote Link to comment Share on other sites More sharing options...
Sherzod Posted February 11, 2018 Share Posted February 11, 2018 Hi, If you would like to make it even more secure, you can also use SSL and ask for a random salt string from the server, salt the password and hash it. Quote Link to comment Share on other sites More sharing options...
Mohammed Nasman Posted February 12, 2018 Share Posted February 12, 2018 I did notice those yes, they're ideal, just having trouble finding an example on how to do the checks and implement that with encrypted passwords. Still reading on that. I'm using user and passwords saved in a table, they're plaintext at the moment but I'd like to use the password as encrypted somehow, not to save it plaintext. You can use System.hash to hash passwords, as: uses System.Hash; .... MyHashedPassword = THashSHA2.GetHashString('MyPassword',THashSHA2.TSHA2Version.SHA256) so you can store it to database as hashed, and when user login, you will hash the password and compare it to the one on database, and for more secure, please follow what Delphi Developer suggested. Quote Link to comment Share on other sites More sharing options...
Petzy Posted February 16, 2018 Author Share Posted February 16, 2018 Hi, If you would like to make it even more secure, you can also use SSL and ask for a random salt string from the server, salt the password and hash it. Hey there, thanks for your reply. I'm really new at this but If I understand you correctly that would imply me having a SSL certificate on the server/website I'm deploying to, right? If yes, then I'll hold off on this suggestion and as I don't know when/if I'll have SSL on that (planning on it though - it will just be a while). I'd appreciate if you have a simple working demo doing what you suggested, or a tutorial / reading I could take a look at until I actually take it on. Thanks, nonetheless! You can use System.hash to hash passwords, as: uses System.Hash; .... MyHashedPassword = THashSHA2.GetHashString('MyPassword',THashSHA2.TSHA2Version.SHA256) so you can store it to database as hashed, and when user login, you will hash the password and compare it to the one on database, and for more secure, please follow what Delphi Developer suggested. Sheesh, exactly what I was looking for. Never having the need to do a login system with hash passwords saved in the database, until now, I didn't have the faintest clue what to search for / what it's called. I eventually found this http://docwiki.embarcadero.com/Libraries/Tokyo/en/System.Hash.THashSHA2 after reading your comment and searching for System.Hash Your example line was obviously instantly helpful, but guess what, after I've been reading on my own for the past several days (prior to your answer) I've somehow mistaken hashing with encrypt / decrypt - and you could imagine how off course I was at that point, I kept searching how the hell do you decrypt it now. Eventually stumbled upon another tutorial which between the several hundred lines of text had one in particular that made me throw rocks at my head, namely: Generate a hash for a password and compare it during sign in process. And after finding that I just noticed you said the exact same thing. lol! Pretty funny how not reading thoroughly makes you waste a couple of days. Lesson learned! So, after all that, I eventually came up with this code for the login procedure: procedure TUniLoginForm1.UniButton1Click(Sender: TObject); var hash: string; begin UniMainModule.loginQuery.SQL.Text := 'SELECT username, password FROM membri WHERE username=:username'; UniMainModule.loginQuery.Params.ParamByName('username').Value := UniEdit1.Text; try UniMainModule.loginQuery.Open; if UniMainModule.loginQuery.IsEmpty then // No record found for user ShowMessage('Utilizator inexistent') // Handle error else begin hash := THashSHA2.GetHashString(UniEdit2.Text,THashSHA2.TSHA2Version.SHA256); if UniMainModule.loginQuery.FieldByName('password').Value <> hash then begin ShowMessage('Parola gresita'); // Handle password mismatch; end else begin UniMainModule.LoggedUser := UniEdit1.Text; if UniCheckBox1.Checked then begin UniApplication.Cookies.SetCookie('_loginname', UniEdit1.Text, Date + 7.0); // Expires 7 days from now UniApplication.Cookies.SetCookie('_pwd', UniEdit2.Text, Date + 7.0); end; ModalResult := mrOK; end; end; finally UniMainModule.loginQuery.Close; end; end; It works perfectly, in the sense that it's searching for the username 1st, if it doesn't find the username it raises a Message, if it does find it then it hashes the password and compares the hash to the hash saved in the database, for that username. If they don't differ, voila, logged in. If they do differ, it raises another Message and no login. So far that's perfect. Trying now to figure out how to change this part of the code related to cookies so it works with my new setup: procedure TUniMainModule.UniGUIMainModuleBeforeLogin(Sender: TObject; var Handled: Boolean); var S1, S2 : string; begin S1 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_loginname']; S2 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_pwd']; Handled := SameText(S1, 'demo') and SameText(S2, 'demo'); if Handled then LoggedUser := S1; end; How would that look? Also thinking on the salt part, how do I use a salt with the current setup? And If I do, I'm assuming I'll have to adjust the cookies code again, right? Thanks again! Quote Link to comment Share on other sites More sharing options...
Ron Posted February 27, 2018 Share Posted February 27, 2018 The reason for the salt is that somebody could realize that you hashed the pw, and then try to do the same thing to crack it, by hashing pw suggestions using the typical hashing algos, but if you also have a salt stored in the db, which is combined with the hashed pw to re-hash it x times, then things get a notch harder to crack, as there is another element in the mix. If you then store the salt in the cookie, the point of the salt is gone, as it could theoretically be picked up and used in the cracking process. The salt should not be transferred over the net openly (like without SSL), for maximum security. Quote Link to comment Share on other sites More sharing options...
Petzy Posted March 16, 2018 Author Share Posted March 16, 2018 The reason for the salt is that somebody could realize that you hashed the pw, and then try to do the same thing to crack it, by hashing pw suggestions using the typical hashing algos, but if you also have a salt stored in the db, which is combined with the hashed pw to re-hash it x times, then things get a notch harder to crack, as there is another element in the mix. If you then store the salt in the cookie, the point of the salt is gone, as it could theoretically be picked up and used in the cracking process. The salt should not be transferred over the net openly (like without SSL), for maximum security. thanks, appreciate the answer. Helped me implement everything. Quote Link to comment Share on other sites More sharing options...
sistem80 Posted May 4, 2019 Share Posted May 4, 2019 hi. I made this way so that other users can switch automatically procedure TUniMainModule.UniGUIMainModuleBeforeLogin(Sender: TObject; var Handled: Boolean); var S1,S2:string; begin S1 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_loginname']; S2 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_pwd']; loginQuery.SQL.Text := 'SELECT USERNAME, PASS FROM KULLAN WHERE USERNAME=:USERNAME AND PASS=:PASS'; loginQuery.Params.ParamByName('USERNAME').Value := S1; loginQuery.Params.ParamByName('PASS').Value := S2; UniMainModule.loginQuery.Open; if not UniMainModule.loginQuery.IsEmpty then begin Handled := SameText(S1,S1) and SameText(S2,S2); if Handled then LoggedUser := S1; end; end; log out UniApplication.Cookies.SetCookie('_loginname','',Date-1); UniApplication.Cookies.SetCookie('_pwd','',Date-1); UniApplication.Restart; 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.