Re: [WebDNA] how to clear the [username] and [password] values
This WebDNA talk-list message is from 2008
It keeps the original formatting.
numero = 101136
interpreted = N
texte = Thanks G. I set a logged in type cookie to show or hide the authentication code. I do not store the password in a cookie. Once they've authenticated, we don't need to know that anymore. I do store the username, so that information is available throughout the pages for db searches. I also set a cookie for their membership status and full name to make it easier to show appropriate member-only content, and to do things like "welcome [getcookie fullname]".To manage a system where they are automatically logged out after 30 minutes (or some other interval), simply make the cookies for that expiration time and reset on every page. To give them a choice of staying logged in indefinitely or not, there's yet another cookie that says they're 30-min folks and shows the above reset code.There will also be a logout link that will reset them all to expiration dates in the past.So there are a lot of cookies involved here.I threw caution to the wind several years ago and made cookies mandatory on all sites going forward. Very few issues.I also have wondered whether cookies are hackable. The one site where this could be a concern is still on browser authentication. Anyone?Terry>Thanks Terry! That is a nice succinct effective article...>>I used cookies for a shopping cart site 10 years ago. We didn't >rely on them for critical functions since at that time I remember >many people were afraid of them and had them turned off. (Myself >just re-entering the coding world again after 7 years off)... I >suspect that now stats watchers are saying that mostly cookies can >be depended on to work (people rarely disable them nowadays)?>>Do you guys store the [username] & [password] in the cookies >directly? If so are those passwords encrypted there? Any issues >worth mentioning here?>>Or are you keeping the architecture basically the same the way we >did for [authenticate]/access.db etc (original WebDNA design, see >*addendum below), and just using the session cookies to store the >fact that they passed the tests on each page?>Can users who are clever inspect their own browser's cookies, hack >them, and thus bypass? I am sure you avoided this, I just want to >suss out the key points here rather than learning the hard way.>>*addendum: (this is an old one before I switched to encrypting passwords)>[showif NotFound=[lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=user¬Found=NotFound]]>[authenticate user]>[/showif]>[showif [url][uppercase][password][/uppercase][/url]![url][lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=pass¬Found=NotFound][/url]]>[authenticate pass]>[/showif]>[search >db=access.db&wsgroupsdatarq=[uppercase][groups][/uppercase]&equserdatarq=[uppercase][username][/uppercase]&eqpassdatarq=[url][uppercase][password][/uppercase][/url]]>[showif [numFound]=0]>[authenticate Group]>[/showif]>[/search]>>Thanks for any thoughts.>-G>>On Oct 12, 2008, at 7:12 PM, Terry Wilson wrote:>>> I wrote a piece on cookies at the new WebDNA site:>>>> http://www.webdna.us/page.dna?numero=79>>>> Terry>>>>>> On Oct 12, 2008, at 4:47 PM, Govinda wrote:>>>>> Could you give me an outline, in english/pseudo code?>>> And, could you elaborate on "session"?>>> This is not all new to me, but I stand to benefit from (fill out >>>my understanding from) your input.>>>>>> -G>>> On Oct 12, 2008, at 11:06 AM, Bob Minor wrote:>>>>>>> Thats is really why you don't want to use a realm. Instead when >>>>possible we use cookie/session based controls.>>>>>>>> On Oct 12, 2008, at 11:45 AM, Govinda wrote:>>>>>>>>> Happy sunday all!>>>>>>>>>> I am successfully using [authenticate], conditionals, and a >>>>>custom userGroups.db for protecting secure areas of our site.>>>>> What I am not clear about is how to use WebDNA to clear out the >>>>>values the browser has stored for [username] and [password].>>>>> How do we do that? ....>>>>>>--------------------------------------------------------->This message is sent to you because you are subscribed to>the mailing list
.>To unsubscribe, E-mail to: >archives: http://mail.webdna.us/list/talk@webdna.us>old archives: http://dev.webdna.us/TalkListArchive/-- Terry Wilson | terry@terryfic.com | http://terryfic.comhttp://WhosComing.com - a simplified, affordable online reservation systemhttp://TightJacket.com -- stylish protection for your laptop--------------------------------------------------------------------------Attitude is the only difference between ordeal and adventure.
Associated Messages, from the most recent to the oldest:
Thanks G. I set a logged in type cookie to show or hide the authentication code. I do not store the password in a cookie. Once they've authenticated, we don't need to know that anymore. I do store the username, so that information is available throughout the pages for db searches. I also set a cookie for their membership status and full name to make it easier to show appropriate member-only content, and to do things like "welcome [getcookie fullname]".To manage a system where they are automatically logged out after 30 minutes (or some other interval), simply make the cookies for that expiration time and reset on every page. To give them a choice of staying logged in indefinitely or not, there's yet another cookie that says they're 30-min folks and shows the above reset code.There will also be a logout link that will reset them all to expiration dates in the past.So there are a lot of cookies involved here.I threw caution to the wind several years ago and made cookies mandatory on all sites going forward. Very few issues.I also have wondered whether cookies are hackable. The one site where this could be a concern is still on browser authentication. Anyone?Terry>Thanks Terry! That is a nice succinct effective article...>>I used cookies for a shopping cart site 10 years ago. We didn't >rely on them for critical functions since at that time I remember >many people were afraid of them and had them turned off. (Myself >just re-entering the coding world again after 7 years off)... I >suspect that now stats watchers are saying that mostly cookies can >be depended on to work (people rarely disable them nowadays)?>>Do you guys store the [username] & [password] in the cookies >directly? If so are those passwords encrypted there? Any issues >worth mentioning here?>>Or are you keeping the architecture basically the same the way we >did for [authenticate]/access.db etc (original WebDNA design, see >*addendum below), and just using the session cookies to store the >fact that they passed the tests on each page?>Can users who are clever inspect their own browser's cookies, hack >them, and thus bypass? I am sure you avoided this, I just want to >suss out the key points here rather than learning the hard way.>>*addendum: (this is an old one before I switched to encrypting passwords)>[showif NotFound=[lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=user¬Found=NotFound]]>[authenticate user]>[/showif]>[showif [url][uppercase][password][/uppercase][/url]![url][lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=pass¬Found=NotFound][/url]]>[authenticate pass]>[/showif]>[search >db=access.db&wsgroupsdatarq=[uppercase][groups][/uppercase]&equserdatarq=[uppercase][username][/uppercase]&eqpassdatarq=[url][uppercase][password][/uppercase][/url]]>[showif [numFound]=0]>[authenticate Group]>[/showif]>[/search]>>Thanks for any thoughts.>-G>>On Oct 12, 2008, at 7:12 PM, Terry Wilson wrote:>>> I wrote a piece on cookies at the new WebDNA site:>>>> http://www.webdna.us/page.dna?numero=79>>>> Terry>>>>>> On Oct 12, 2008, at 4:47 PM, Govinda wrote:>>>>> Could you give me an outline, in english/pseudo code?>>> And, could you elaborate on "session"?>>> This is not all new to me, but I stand to benefit from (fill out >>>my understanding from) your input.>>>>>> -G>>> On Oct 12, 2008, at 11:06 AM, Bob Minor wrote:>>>>>>> Thats is really why you don't want to use a realm. Instead when >>>>possible we use cookie/session based controls.>>>>>>>> On Oct 12, 2008, at 11:45 AM, Govinda wrote:>>>>>>>>> Happy sunday all!>>>>>>>>>> I am successfully using [authenticate], conditionals, and a >>>>>custom userGroups.db for protecting secure areas of our site.>>>>> What I am not clear about is how to use WebDNA to clear out the >>>>>values the browser has stored for [username] and [password].>>>>> How do we do that? ....>>>>>>--------------------------------------------------------->This message is sent to you because you are subscribed to>the mailing list .>To unsubscribe, E-mail to: >archives: http://mail.webdna.us/list/talk@webdna.us>old archives: http://dev.webdna.us/TalkListArchive/-- Terry Wilson | terry@terryfic.com | http://terryfic.comhttp://WhosComing.com - a simplified, affordable online reservation systemhttp://TightJacket.com -- stylish protection for your laptop--------------------------------------------------------------------------Attitude is the only difference between ordeal and adventure.
Terry Wilson
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
MacAuthorize order data fields WAS:How To question... (1997)
BadSuffix with 2.1b3 cgi (1997)
[WebDNA] WebDNA on PowerPC Leopard Server (2009)
[WebDNA] WebDNA Roll Call (2013)
Bug? (1997)
WebCatalog f2 Installation (1997)
Re2: frames & carts (1997)
REPOST: Overwiting SKU in Cart (2002)
WC2.0 Memory Requirements (1997)
HELP WITH DATES (1997)
OT: Textarea (2003)
Emailer setup (1997)
REPOST: How do _you_ back up your db? (2000)
auto enter dates (1998)
WebCat2b12 - nesting [tags] (1997)
NetForms for mail, sorry (1998)
Bug or syntax error on my part? (1997)
Shownext on AOL (2003)
Separate SSL Server (1997)
Real Audio files (1997)