Re: [WebDNA] how to clear the [username] and [password] values

This WebDNA talk-list message is from

2008


It keeps the original formatting.
numero = 101136
interpreted = N
texte = Thanks G. I set a logged in type cookie to show or hide the authentication code. I do not store the password in a cookie. Once they've authenticated, we don't need to know that anymore. I do store the username, so that information is available throughout the pages for db searches. I also set a cookie for their membership status and full name to make it easier to show appropriate member-only content, and to do things like "welcome [getcookie fullname]". To manage a system where they are automatically logged out after 30 minutes (or some other interval), simply make the cookies for that expiration time and reset on every page. To give them a choice of staying logged in indefinitely or not, there's yet another cookie that says they're 30-min folks and shows the above reset code. There will also be a logout link that will reset them all to expiration dates in the past. So there are a lot of cookies involved here. I threw caution to the wind several years ago and made cookies mandatory on all sites going forward. Very few issues. I also have wondered whether cookies are hackable. The one site where this could be a concern is still on browser authentication. Anyone? Terry >Thanks Terry! That is a nice succinct effective article... > >I used cookies for a shopping cart site 10 years ago. We didn't >rely on them for critical functions since at that time I remember >many people were afraid of them and had them turned off. (Myself >just re-entering the coding world again after 7 years off)... I >suspect that now stats watchers are saying that mostly cookies can >be depended on to work (people rarely disable them nowadays)? > >Do you guys store the [username] & [password] in the cookies >directly? If so are those passwords encrypted there? Any issues >worth mentioning here? > >Or are you keeping the architecture basically the same the way we >did for [authenticate]/access.db etc (original WebDNA design, see >*addendum below), and just using the session cookies to store the >fact that they passed the tests on each page? >Can users who are clever inspect their own browser's cookies, hack >them, and thus bypass? I am sure you avoided this, I just want to >suss out the key points here rather than learning the hard way. > >*addendum: (this is an old one before I switched to encrypting passwords) >[showif NotFound=[lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=user¬Found=NotFound]] >[authenticate user] >[/showif] >[showif [url][uppercase][password][/uppercase][/url]![url][lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=pass¬Found=NotFound][/url]] >[authenticate pass] >[/showif] >[search >db=access.db&wsgroupsdatarq=[uppercase][groups][/uppercase]&equserdatarq=[uppercase][username][/uppercase]&eqpassdatarq=[url][uppercase][password][/uppercase][/url]] >[showif [numFound]=0] >[authenticate Group] >[/showif] >[/search] > >Thanks for any thoughts. >-G > >On Oct 12, 2008, at 7:12 PM, Terry Wilson wrote: > >> I wrote a piece on cookies at the new WebDNA site: >> >> http://www.webdna.us/page.dna?numero=79 >> >> Terry >> >> >> On Oct 12, 2008, at 4:47 PM, Govinda wrote: >> >>> Could you give me an outline, in english/pseudo code? >>> And, could you elaborate on "session"? >>> This is not all new to me, but I stand to benefit from (fill out >>>my understanding from) your input. >>> >>> -G >>> On Oct 12, 2008, at 11:06 AM, Bob Minor wrote: >>> >>>> Thats is really why you don't want to use a realm. Instead when >>>>possible we use cookie/session based controls. >>>> >>>> On Oct 12, 2008, at 11:45 AM, Govinda wrote: >>>> >>>>> Happy sunday all! >>>>> >>>>> I am successfully using [authenticate], conditionals, and a >>>>>custom userGroups.db for protecting secure areas of our site. >>>>> What I am not clear about is how to use WebDNA to clear out the >>>>>values the browser has stored for [username] and [password]. >>>>> How do we do that? .... >>>>> >--------------------------------------------------------- >This message is sent to you because you are subscribed to >the mailing list . >To unsubscribe, E-mail to: >archives: http://mail.webdna.us/list/talk@webdna.us >old archives: http://dev.webdna.us/TalkListArchive/ -- Terry Wilson | terry@terryfic.com | http://terryfic.com http://WhosComing.com - a simplified, affordable online reservation system http://TightJacket.com -- stylish protection for your laptop -------------------------------------------------------------------------- Attitude is the only difference between ordeal and adventure. Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] how to clear the [username] and [password] values (Terry Wilson 2008)
  2. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Govinda 2008)
  3. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Terry Wilson 2008)
  4. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Govinda 2008)
  5. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Bob Minor 2008)
  6. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Govinda 2008)
  7. Re: [WebDNA] how to clear the [username] and [password] values the browser has stored? (Bob Minor 2008)
  8. [WebDNA] how to clear the [username] and [password] values the browser has stored? (Govinda 2008)
Thanks G. I set a logged in type cookie to show or hide the authentication code. I do not store the password in a cookie. Once they've authenticated, we don't need to know that anymore. I do store the username, so that information is available throughout the pages for db searches. I also set a cookie for their membership status and full name to make it easier to show appropriate member-only content, and to do things like "welcome [getcookie fullname]". To manage a system where they are automatically logged out after 30 minutes (or some other interval), simply make the cookies for that expiration time and reset on every page. To give them a choice of staying logged in indefinitely or not, there's yet another cookie that says they're 30-min folks and shows the above reset code. There will also be a logout link that will reset them all to expiration dates in the past. So there are a lot of cookies involved here. I threw caution to the wind several years ago and made cookies mandatory on all sites going forward. Very few issues. I also have wondered whether cookies are hackable. The one site where this could be a concern is still on browser authentication. Anyone? Terry >Thanks Terry! That is a nice succinct effective article... > >I used cookies for a shopping cart site 10 years ago. We didn't >rely on them for critical functions since at that time I remember >many people were afraid of them and had them turned off. (Myself >just re-entering the coding world again after 7 years off)... I >suspect that now stats watchers are saying that mostly cookies can >be depended on to work (people rarely disable them nowadays)? > >Do you guys store the [username] & [password] in the cookies >directly? If so are those passwords encrypted there? Any issues >worth mentioning here? > >Or are you keeping the architecture basically the same the way we >did for [authenticate]/access.db etc (original WebDNA design, see >*addendum below), and just using the session cookies to store the >fact that they passed the tests on each page? >Can users who are clever inspect their own browser's cookies, hack >them, and thus bypass? I am sure you avoided this, I just want to >suss out the key points here rather than learning the hard way. > >*addendum: (this is an old one before I switched to encrypting passwords) >[showif NotFound=[lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=user¬Found=NotFound]] >[authenticate user] >[/showif] >[showif [url][uppercase][password][/uppercase][/url]![url][lookup >db=access.db&lookinField=user&value=[uppercase][username][/uppercase]&returnField=pass¬Found=NotFound][/url]] >[authenticate pass] >[/showif] >[search >db=access.db&wsgroupsdatarq=[uppercase][groups][/uppercase]&equserdatarq=[uppercase][username][/uppercase]&eqpassdatarq=[url][uppercase][password][/uppercase][/url]] >[showif [numFound]=0] >[authenticate Group] >[/showif] >[/search] > >Thanks for any thoughts. >-G > >On Oct 12, 2008, at 7:12 PM, Terry Wilson wrote: > >> I wrote a piece on cookies at the new WebDNA site: >> >> http://www.webdna.us/page.dna?numero=79 >> >> Terry >> >> >> On Oct 12, 2008, at 4:47 PM, Govinda wrote: >> >>> Could you give me an outline, in english/pseudo code? >>> And, could you elaborate on "session"? >>> This is not all new to me, but I stand to benefit from (fill out >>>my understanding from) your input. >>> >>> -G >>> On Oct 12, 2008, at 11:06 AM, Bob Minor wrote: >>> >>>> Thats is really why you don't want to use a realm. Instead when >>>>possible we use cookie/session based controls. >>>> >>>> On Oct 12, 2008, at 11:45 AM, Govinda wrote: >>>> >>>>> Happy sunday all! >>>>> >>>>> I am successfully using [authenticate], conditionals, and a >>>>>custom userGroups.db for protecting secure areas of our site. >>>>> What I am not clear about is how to use WebDNA to clear out the >>>>>values the browser has stored for [username] and [password]. >>>>> How do we do that? .... >>>>> >--------------------------------------------------------- >This message is sent to you because you are subscribed to >the mailing list . >To unsubscribe, E-mail to: >archives: http://mail.webdna.us/list/talk@webdna.us >old archives: http://dev.webdna.us/TalkListArchive/ -- Terry Wilson | terry@terryfic.com | http://terryfic.com http://WhosComing.com - a simplified, affordable online reservation system http://TightJacket.com -- stylish protection for your laptop -------------------------------------------------------------------------- Attitude is the only difference between ordeal and adventure. Terry Wilson

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

MacAuthorize order data fields WAS:How To question... (1997) BadSuffix with 2.1b3 cgi (1997) [WebDNA] WebDNA on PowerPC Leopard Server (2009) [WebDNA] WebDNA Roll Call (2013) Bug? (1997) WebCatalog f2 Installation (1997) Re2: frames & carts (1997) REPOST: Overwiting SKU in Cart (2002) WC2.0 Memory Requirements (1997) HELP WITH DATES (1997) OT: Textarea (2003) Emailer setup (1997) REPOST: How do _you_ back up your db? (2000) auto enter dates (1998) WebCat2b12 - nesting [tags] (1997) NetForms for mail, sorry (1998) Bug or syntax error on my part? (1997) Shownext on AOL (2003) Separate SSL Server (1997) Real Audio files (1997)