KingOrmon Posted March 1, 2012 Posted March 1, 2012 Hi Farshad, I need to use a login/pass form for access to my webapp. which is the best/secure way for store session (user/pass) on cookie. Regards Quote
zilav Posted March 1, 2012 Posted March 1, 2012 Every UniGUI client connection already starts a separate session. UniGUI apps are stateful and keep session information on server, you don't need to write anything yourself. Make a login logic like an ordinary desktop application: show some form for user/password, perform login, store results in mainmodule or your own datamodule to be accessible for other parts of application. Quote
KingOrmon Posted March 2, 2012 Author Posted March 2, 2012 ok, but if want to create a cookie for alows to access to users that previously has been validated ? My sceneraio: 1. User type login/password. 2. System validates and create cookie for 7 days. 3. When user visit, in 2 days... directly go to app without login form. 4. Update cookie for another 7 days. 5. If user clic on a 'exit button' destroy cookie and invalidate Sorry for my ignorance. But I would like make a secure login method. Regards Quote
zilav Posted March 2, 2012 Posted March 2, 2012 But I would like make a secure login method. Keeping a cookie for 7 days that bypasses login doesn't sound secure for me at all, but if you wish: uses EncdDecd; // set some cookie for 60 minutes UniApplication.Cookies.SetCookie('logininfo', EncodeString('logged in'), Now + (60.0/1440.0)); // check cookie later if UniApplication.Cookies.Count > 0 then logininfo := DecodeString(UniApplication.Cookies.Values['logininfo']); Quote
KingOrmon Posted March 2, 2012 Author Posted March 2, 2012 Sorry but I don´t understand the code... How can I retrieve user/pass ? Simply set a cookie with a timestamp for validating and identify a user ? Or ? how use UniApplication.Cookies.Values['logininfo'] for link to my user/pass needed to acces to DB. Thank you Quote
zilav Posted March 2, 2012 Posted March 2, 2012 It's up to you do decide what to store in cookie, I just showed you how to. But if you want my advice, then 1) upon successful login set a cookie which will be a hash (lets say MD5) of user_name + password + salt 2) salt should somehow be dependent on current date/time. For example for 1 day valid value salt := 'some_random_string_df7df87d8v80vds09vd9vf0d8gb8fdb8f0db00sjc' + FormatDateTime('ddmmyy', Now); 3) set a cookie with this value for N days 4) upon new session start, if this cookie is set generate above hash for every allowed user/password and check against cookie. If match is found you'll know user/password of matched hash. If you want to accept hashes also from yesterday, make the same checks with salt for previous day. 5) Set cookie again with updated salt so it lasts longer. Hash calculation especially MD5 is blazing fast, and you also don't need to recalculate hashes for all users on every new session since they change value only once per day. You can have a job on SQL server which calculates valid hashes every 24 hours and store them in a table. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.