Log in

0
0

Hi there,

I need to implement a log in window, where user enters Username & Password which must be authenticated.

Could someone help put me on the right tracks for the authentication?

Where are usernames & passwords normally stored? dB? Files?

Are the credentials normally encrypted? MD5? SHAx?

How does the login page recognise a returning user? (and automatically load the username into the username box)
Cookies? Please explain how cookies work and how wisej implements them.

Also, a user may personalise their web app. How do you save and retrieve those personalisation settings for the particular user?

Thank you

Darren

  • You must to post comments
0
0

Sorry – I originally posted this as a comment, to the questioner may not have seen the response…

 

I’ve written some code to do just this recently. And I work in the security business, so I’m a little more driven than most 🙂

 

I maintain the user identifier and authentication state in the session. I have a modal dialog box which presents a userid/password challenge to the user. A database user table contains the username, and a SHA-256 representation of the password, together with a salt value that is a GUID.

 

The password is serially concatenated with the username ans salt, and SHA-256 hashed a number of times (typically >500) to calculate the stored value.

 

So – on login – take the proffered userid / password – look up the salt in the database. If it’s not there, don’t just return, allocate a random salt and run the data through the algorithm to produce the internal hash (thus not leaking if the userid existed on this system). Compare to the internal representation. If it matches, load the creds to the session, if not, tell the user to try again. Log the attempt, the IP address and all that stuff.

JD

  • Darren
    Hello John, Apologies for the late reply. Thanks for your answer. Actually, security isn’t much of an issue. Data is not sensitive. What I’m (still) struggling with is a more general understanding of where “stuff” is stored / how it is retrieved / how it is matched to a user / scope of variables, etc. in a web app. Let’s just say, for example, I have a web app. which display temperature from various probes dotted around a factory. User 1 may only want to see probe 1 and probe 2, EVERY time they log in. User 2 may want to see all probes, EVERY time they log in. User 3 may only want to see probe 3, EVERY time they log in. What is the recommended method of the web app. recognising a User (when they log in) and knowing which probes to display on the page? A very basic example (in VB, if possible) would be very, VERY appreciated. Thank you Darren
  • John Daragon
    As Luca observed, there are many ways of doing this. Often, in a web environment, you’d uses a cookie to detect a returning user and their options. What you describe, though, is not one of those cases, really, as cookies are stored per user/browser/client, and you’re really interested in the user and nothing else. A database table, here is likely to be your friend. The login operation (and there are several ways to do this – for users who are only ever internal to your network you’re probably looking at Active Directory or LDAP, but you could either handle the transaction yourself or use any .NET Identity Provider) will typically store the primary key of the user record in the Session, and you’d use that to perform a SELECT on an options table to return the ID’s of the sensors required. Presumably there’s a process polling (say) the MODBUS devices or the A/D converters every so often and stashing the resultant temperatures in another database table. I’m on the road at the moment, with a Linux laptop and nothing else. I may be able to dig out some example code in about a week.
  • You must to post comments
0
0

You can use anything: a file, a db, directory services, windows, etc. Anything that works with .NET works in Wisej.

With Wisej you can simply save the authentication status (the simplest would be a boolean) in the session (Application.Session). You may also save a cookie and decide how long the authentication lasts.

Generally browsers will prefill the fields automatically, just give it a name like “user” and “password”. Or you can controlling in your code using cookies.

  • Darren
    Hi Luca, I appreciate Wisej can do all of this. My question is… how. As I keep repeating: I’m a desktop developer. Web is COMPLETELY new to me and I’m finding it very hard to get my head around it all. Concepts are very different. I might as well be learning a new language. I think I can handle the dB / encryption side of it. What will the cookie actually be used for in this situation? My understanding is that on an initial account creation, the app. will save the encrypted username & password to dB. But what happens with the cookie at this stage? Does the app. create one (with a timeout) and send it to the client? Say the client then logs out & logs back in again… how does the cookie interact at this stage? Also, I asked what method is normally used for saving client-specific settings to use on each subsequent log-in? Save to dB/file? Thank you
  • Darren
    I don’t know about others, but I think that for folk who are not only new to wisej, but new to web. development in general; there are not enough examples to help with common functions (such as login/client authentication) of web app. development. It’s very frustrating when you know you have the right tools but don’t know how to use them.
  • Luca (ITG)
    Actually Wisej cannot do any of the things I listed. I was simply mentioning that there are many ways with .NET (unrelated to Wisej or web in general) to authenticate a user and you can use any of them. You can write exactly the same code you’d write on a desktop app and it will work. You don’t need cookies to authenticate or save the authentication, simply save it in the session: Application.Session.IsAuthenticated = true|false.
  • John Nagle
    It also depends on how secure your app really needs to be. If it’s simple with a high degree of trust and low risk to users, just store credentials in a text file if you want. Understand that WiseJ is a bit more “secure” by nature, since the connection is persistent (not transactional like traditional websites) and the app is running entirely on the server. And you’re right in that web dev is a different animal, but WiseJ makes it much less intimidating. So just pretend you’re writing a desktop application that is sitting in a public space, and your users will walk up to the keyboard and use it…basically that’s what you’re doing.
  • John Daragon
    I’ve written some code to do just this recently. And I work in the security business, so I’m a little more driven than most :) I maintain the user identifier and authentication state in the session. I have a modal dialog box which presents a userid/password challenge to the user. A database user table contains the username, and a SHA-256 representation of the password, together with a salt value that is a GUID. The password is serially concatenated with the username ans salt, and SHA-256 hashed a number of times (typically >500) to calculate the stored value. So – on login – take the proffered userid / password – look up the salt in the database. If it’s not there, don’t just return, allocate a random salt and run the data through the algorithm to produce the internal hash (thus not leaking if the userid existed on this system). Compare to the internal representation. If it matches, load the creds to the session, if not, tell the user to try again. Log the attempt, the IP address and all that stuff. JD
  • You must to post comments
Showing 2 results
Your Answer

Please first to submit.