Hi there,
I need to implement a log in window, where user enters Username & Password which must be authenticated.
Could someone help put me on the right tracks for the authentication?
Where are usernames & passwords normally stored? dB? Files?
Are the credentials normally encrypted? MD5? SHAx?
How does the login page recognise a returning user? (and automatically load the username into the username box)
Cookies? Please explain how cookies work and how wisej implements them.
Also, a user may personalise their web app. How do you save and retrieve those personalisation settings for the particular user?
Thank you
Darren
Sorry – I originally posted this as a comment, to the questioner may not have seen the response…
I’ve written some code to do just this recently. And I work in the security business, so I’m a little more driven than most 🙂
I maintain the user identifier and authentication state in the session. I have a modal dialog box which presents a userid/password challenge to the user. A database user table contains the username, and a SHA-256 representation of the password, together with a salt value that is a GUID.
The password is serially concatenated with the username ans salt, and SHA-256 hashed a number of times (typically >500) to calculate the stored value.
So – on login – take the proffered userid / password – look up the salt in the database. If it’s not there, don’t just return, allocate a random salt and run the data through the algorithm to produce the internal hash (thus not leaking if the userid existed on this system). Compare to the internal representation. If it matches, load the creds to the session, if not, tell the user to try again. Log the attempt, the IP address and all that stuff.
JD
You can use anything: a file, a db, directory services, windows, etc. Anything that works with .NET works in Wisej.
With Wisej you can simply save the authentication status (the simplest would be a boolean) in the session (Application.Session). You may also save a cookie and decide how long the authentication lasts.
Generally browsers will prefill the fields automatically, just give it a name like “user” and “password”. Or you can controlling in your code using cookies.
Please login first to submit.