If you would like to make it even more secure, you can also use SSL and ask for a random salt string from the server, salt the password and hash it.
Hey there, thanks for your reply. I'm really new at this but If I understand you correctly that would imply me having a SSL certificate on the server/website I'm deploying to, right? If yes, then I'll hold off on this suggestion and as I don't know when/if I'll have SSL on that (planning on it though - it will just be a while).
I'd appreciate if you have a simple working demo doing what you suggested, or a tutorial / reading I could take a look at until I actually take it on.
You can use System.hash to hash passwords, as:
MyHashedPassword = THashSHA2.GetHashString('MyPassword',THashSHA2.TSHA2Version.SHA256)
so you can store it to database as hashed, and when user login, you will hash the password and compare it to the one on database, and for more secure, please follow what Delphi Developer suggested.
Sheesh, exactly what I was looking for. Never having the need to do a login system with hash passwords saved in the database, until now, I didn't have the faintest clue what to search for / what it's called. I eventually found this http://docwiki.embar....Hash.THashSHA2 after reading your comment and searching for System.Hash
Your example line was obviously instantly helpful, but guess what, after I've been reading on my own for the past several days (prior to your answer) I've somehow mistaken hashing with encrypt / decrypt - and you could imagine how off course I was at that point, I kept searching how the hell do you decrypt it now. Eventually stumbled upon another tutorial which between the several hundred lines of text had one in particular that made me throw rocks at my head, namely: Generate a hash for a password and compare it during sign in process.
And after finding that I just noticed you said the exact same thing. lol!
Pretty funny how not reading thoroughly makes you waste a couple of days. Lesson learned!
So, after all that, I eventually came up with this code for the login procedure:
procedure TUniLoginForm1.UniButton1Click(Sender: TObject);
UniMainModule.loginQuery.SQL.Text := 'SELECT username, password FROM membri WHERE username=:username';
UniMainModule.loginQuery.Params.ParamByName('username').Value := UniEdit1.Text;
if UniMainModule.loginQuery.IsEmpty then // No record found for user
ShowMessage('Utilizator inexistent') // Handle error
hash := THashSHA2.GetHashString(UniEdit2.Text,THashSHA2.TSHA2Version.SHA256);
if UniMainModule.loginQuery.FieldByName('password').Value <> hash then
ShowMessage('Parola gresita'); // Handle password mismatch;
UniMainModule.LoggedUser := UniEdit1.Text;
if UniCheckBox1.Checked then
UniApplication.Cookies.SetCookie('_loginname', UniEdit1.Text, Date + 7.0); // Expires 7 days from now
UniApplication.Cookies.SetCookie('_pwd', UniEdit2.Text, Date + 7.0);
ModalResult := mrOK;
It works perfectly, in the sense that it's searching for the username 1st, if it doesn't find the username it raises a Message, if it does find it then it hashes the password and compares the hash to the hash saved in the database, for that username. If they don't differ, voila, logged in. If they do differ, it raises another Message and no login.
So far that's perfect.
Trying now to figure out how to change this part of the code related to cookies so it works with my new setup:
procedure TUniMainModule.UniGUIMainModuleBeforeLogin(Sender: TObject; var Handled: Boolean);
S1, S2 : string;
S1 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_loginname'];
S2 := (Sender as TUniGUISession).UniApplication.Cookies.Values['_pwd'];
Handled := SameText(S1, 'demo') and SameText(S2, 'demo');
if Handled then
LoggedUser := S1;
How would that look?
Also thinking on the salt part, how do I use a salt with the current setup? And If I do, I'm assuming I'll have to adjust the cookies code again, right?