Jump to content


Photo

uniGUI login system (database based)


  • Please log in to reply
7 replies to this topic

#1 tcsh

tcsh

    Member

  • Members
  • PipPip
  • 14 posts

Posted 10 February 2018 - 12:05 PM

Hello,

 

New to the forum, loving uniGUI so far.

 

Does anyone have a demo/code sample on how to make a login system in uniGUI?

I've done it simple with a predetermined user and pass, also learned to setup cookies and so forth I just can't seem to find a demo that shows how to check for the user and password in the database (mysql), preferably the password being encrypted in the database and the application able to handle that.

 

Any help? I'd appreciate it, thanks.


  • 0

#2 Mohammed Nasman

Mohammed Nasman

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 161 posts
  • LocationGaza - Palestine

Posted 11 February 2018 - 07:47 AM

Have you looked at the Demo folder, there are two demos:

 

- LoginForm

- LoginForm Cookies

 

Now these demos aren't related to authenticate users from database, but it's not hard to change that to check from database, are you using database users, or users stored on table?


  • 0

#3 tcsh

tcsh

    Member

  • Members
  • PipPip
  • 14 posts

Posted 11 February 2018 - 07:14 PM

Have you looked at the Demo folder, there are two demos:

 

- LoginForm

- LoginForm Cookies

 

Now these demos aren't related to authenticate users from database, but it's not hard to change that to check from database, are you using database users, or users stored on table?

 

I did notice those yes, they're ideal, just having trouble finding an example on how to do the checks and implement that with encrypted passwords. Still reading on that. I'm using user and passwords saved in a table, they're plaintext at the moment but I'd like to use the password as encrypted somehow, not to save it plaintext.


  • 0

#4 Delphi Developer

Delphi Developer

    Advanced Member

  • Moderators
  • 4754 posts

Posted 11 February 2018 - 07:32 PM

Hi,

 

If you would like to make it even more secure, you can also use SSL and ask for a random salt string from the server, salt the password and hash it.


  • 0

#5 Mohammed Nasman

Mohammed Nasman

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 161 posts
  • LocationGaza - Palestine

Posted 12 February 2018 - 05:22 AM

I did notice those yes, they're ideal, just having trouble finding an example on how to do the checks and implement that with encrypted passwords. Still reading on that. I'm using user and passwords saved in a table, they're plaintext at the moment but I'd like to use the password as encrypted somehow, not to save it plaintext.

 

You can use System.hash to hash passwords, as:

uses
  System.Hash;

....

 MyHashedPassword = THashSHA2.GetHashString('MyPassword',THashSHA2.TSHA2Version.SHA256)

so you can store it to database as hashed, and when user login, you will hash the password and compare it to the one on database, and for more secure, please follow what Delphi Developer suggested.


  • 0

#6 tcsh

tcsh

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 February 2018 - 05:31 PM

Hi,

 

If you would like to make it even more secure, you can also use SSL and ask for a random salt string from the server, salt the password and hash it.

 

Hey there, thanks for your reply. I'm really new at this but If I understand you correctly that would imply me having a SSL certificate on the server/website I'm deploying to, right? If yes, then I'll hold off on this suggestion and as I don't know when/if I'll have SSL on that (planning on it though - it will just be a while).

 

I'd appreciate if you have a simple working demo doing what you suggested, or a tutorial / reading I could take a look at until I actually take it on. 

Thanks, nonetheless!

 

 

You can use System.hash to hash passwords, as:

uses
  System.Hash;

....

 MyHashedPassword = THashSHA2.GetHashString('MyPassword',THashSHA2.TSHA2Version.SHA256)

so you can store it to database as hashed, and when user login, you will hash the password and compare it to the one on database, and for more secure, please follow what Delphi Developer suggested.

 

Sheesh, exactly what I was looking for. Never having the need to do a login system with hash passwords saved in the database, until now, I didn't have the faintest clue what to search for / what it's called. I eventually found this http://docwiki.embar....Hash.THashSHA2 after reading your comment and searching for System.Hash

 

Your example line was obviously instantly helpful, but guess what, after I've been reading on my own for the past several days (prior to your answer) I've somehow mistaken hashing with encrypt / decrypt - and you could imagine how off course I was at that point, I kept searching how the hell do you decrypt it now. Eventually stumbled upon another tutorial which between the several hundred lines of text had one in particular that made me throw rocks at my head, namely: Generate a hash for a password and compare it during sign in process.

 

And after finding that I just noticed you said the exact same thing. lol!

 

Pretty funny how not reading thoroughly makes you waste a couple of days. Lesson learned! 

 

So, after all that, I eventually came up with this code for the login procedure:

procedure TUniLoginForm1.UniButton1Click(Sender: TObject);
var
hash: string;
begin
UniMainModule.loginQuery.SQL.Text := 'SELECT username, password FROM membri WHERE username=:username';
UniMainModule.loginQuery.Params.ParamByName('username').Value := UniEdit1.Text;
   try
   UniMainModule.loginQuery.Open;
   if UniMainModule.loginQuery.IsEmpty then // No record found for user
   ShowMessage('Utilizator inexistent')  // Handle error
     else
     begin
     hash := THashSHA2.GetHashString(UniEdit2.Text,THashSHA2.TSHA2Version.SHA256);
     if UniMainModule.loginQuery.FieldByName('password').Value <> hash then
        begin
        ShowMessage('Parola gresita'); // Handle password mismatch;
        end
     else
        begin
        UniMainModule.LoggedUser := UniEdit1.Text;
        if UniCheckBox1.Checked then
           begin
           UniApplication.Cookies.SetCookie('_loginname', UniEdit1.Text, Date + 7.0); // Expires 7 days from now
           UniApplication.Cookies.SetCookie('_pwd', UniEdit2.Text, Date + 7.0);
           end;
        ModalResult := mrOK;
        end;
     end;
   finally
   UniMainModule.loginQuery.Close;
   end;
end; 

It works perfectly, in the sense that it's searching for the username 1st, if it doesn't find the username it raises a Message, if it does find it then it hashes the password and compares the hash to the hash saved in the database, for that username. If they don't differ, voila, logged in. If they do differ, it raises another Message and no login.

 

So far that's perfect. 

 

Trying now to figure out how to change this part of the code related to cookies so it works with my new setup:

procedure TUniMainModule.UniGUIMainModuleBeforeLogin(Sender: TObject; var Handled: Boolean);
var
S1, S2 : string;
begin
  S1 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_loginname'];
  S2 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_pwd'];

  Handled := SameText(S1, 'demo') and SameText(S2, 'demo');

  if Handled then
    LoggedUser := S1;
end;

How would that look?

 

Also thinking on the salt part, how do I use a salt with the current setup? And If I do, I'm assuming I'll have to adjust the cookies code again, right?

 

Thanks again!


  • 0

#7 delphidude

delphidude

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 190 posts
  • LocationNorway

Posted 27 February 2018 - 11:37 PM

The reason for the salt is that somebody could realize that you hashed the pw,

and then try to do the same thing to crack it, by hashing pw suggestions using

the typical  hashing algos, but if you also have a salt stored in the db, which is

combined with the hashed pw to re-hash it x times, then things get a notch harder

to crack, as there is another element in the mix.

 

If you then store the salt in the cookie, the point of the salt is gone,

as it could theoretically be picked up and used in the cracking process.

The salt should not be transferred over the net openly (like without SSL),

for maximum security.


  • 0

#8 tcsh

tcsh

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 March 2018 - 01:14 PM

The reason for the salt is that somebody could realize that you hashed the pw,

and then try to do the same thing to crack it, by hashing pw suggestions using

the typical  hashing algos, but if you also have a salt stored in the db, which is

combined with the hashed pw to re-hash it x times, then things get a notch harder

to crack, as there is another element in the mix.

 

If you then store the salt in the cookie, the point of the salt is gone,

as it could theoretically be picked up and used in the cracking process.

The salt should not be transferred over the net openly (like without SSL),

for maximum security.

 

thanks, appreciate the answer. Helped me implement everything.


  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users