Jump to content

Robust login access


KingOrmon

Recommended Posts

Every UniGUI client connection already starts a separate session. UniGUI apps are stateful and keep session information on server, you don't need to write anything yourself. Make a login logic like an ordinary desktop application: show some form for user/password, perform login, store results in mainmodule or your own datamodule to be accessible for other parts of application.

Link to comment
Share on other sites

ok, but if want to create a cookie for alows to access to users that previously has been validated ?

 

My sceneraio:

 

1. User type login/password.

2. System validates and create cookie for 7 days.

3. When user visit, in 2 days... directly go to app without login form.

4. Update cookie for another 7 days.

5. If user clic on a 'exit button' destroy cookie and invalidate

 

Sorry for my ignorance. But I would like make a secure login method.

 

Regards

Link to comment
Share on other sites

But I would like make a secure login method.

Keeping a cookie for 7 days that bypasses login doesn't sound secure for me at all, but if you wish:

 

uses
 EncdDecd;

// set some cookie for 60 minutes
UniApplication.Cookies.SetCookie('logininfo', EncodeString('logged in'), Now + (60.0/1440.0));

// check cookie later
if UniApplication.Cookies.Count > 0 then
 logininfo := DecodeString(UniApplication.Cookies.Values['logininfo']);

Link to comment
Share on other sites

Sorry but I don´t understand the code...

 

How can I retrieve user/pass ?

 

Simply set a cookie with a timestamp for validating and identify a user ?

Or ? how use UniApplication.Cookies.Values['logininfo'] for link to my user/pass needed to acces to DB.

 

Thank you

Link to comment
Share on other sites

It's up to you do decide what to store in cookie, I just showed you how to.

But if you want my advice, then

1) upon successful login set a cookie which will be a hash (lets say MD5) of user_name + password + salt

2) salt should somehow be dependent on current date/time. For example for 1 day valid value

salt := 'some_random_string_df7df87d8v80vds09vd9vf0d8gb8fdb8f0db00sjc' + FormatDateTime('ddmmyy', Now);

3) set a cookie with this value for N days

4) upon new session start, if this cookie is set generate above hash for every allowed user/password and check against cookie. If match is found you'll know user/password of matched hash. If you want to accept hashes also from yesterday, make the same checks with salt for previous day.

5) Set cookie again with updated salt so it lasts longer.

 

Hash calculation especially MD5 is blazing fast, and you also don't need to recalculate hashes for all users on every new session since they change value only once per day. You can have a job on SQL server which calculates valid hashes every 24 hours and store them in a table.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...