Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » U++ Library support » U++ MT-multithreading and servers » Skylark session verification
Skylark session verification [message #53804] Sun, 03 May 2020 02:28 Go to next message
Xemuth is currently offline  Xemuth
Messages: 189
Registered: August 2018
Location: France
Experienced Member
Hello,

I'm currently using Skylark to developpe my own website and I have a little doubt about skylark session.

On my website, I want user authenticate themself. so Actually I'm using a form with $post_identity() to start a session.
When user send is data to be logged on, I check if he is legitimate then, if he is, I do this :
if(Data sent by user is good){
			http.NewIdentity(); //Set new session identity 
			http.SessionSet("RIGHT", AsString(us->GetRight())); //Set Right of user
			http.SessionSet("USERNAME", us->GetLogin()); //Set username of user
			http.Redirect(PrivateScreen); //Redirect to the privateScreen
		}else{
			http.Redirect(Auth); //Else redirect to authentification page
		}


On other page (like PrivateScreen) for example, I do this to ensure the user is connected :
	if( !http[".USERNAME"].ToString().IsEmpty()){
		...Process everythings
	}else{
		http.Redirect(Auth); //Else redirect to authentification page
	}


Is this way of working is safe ? should I instead, generate a special ID related to sessionID of the user, send it to cookies and comparing it every time ?

Thanks in advance


Re: Skylark session verification [message #53811 is a reply to message #53804] Mon, 04 May 2020 18:44 Go to previous messageGo to next message
deep is currently offline  deep
Messages: 221
Registered: July 2011
Location: Bangalore
Experienced Member
I think using USERNAME in the header is not not safe. Impersonation possible.

Some explanation available here.

https://security.stackexchange.com/questions/36318/store-use rname-in-cookie-for-a-web-site


Warm Regards

Deepak
Re: Skylark session verification [message #53812 is a reply to message #53811] Mon, 04 May 2020 21:31 Go to previous messageGo to next message
Xemuth is currently offline  Xemuth
Messages: 189
Registered: August 2018
Location: France
Experienced Member
Hello Deep,

I don't think session variable and header value are the same, from my point of view, session are only available at server. Maybe I'm wrong ?


Re: Skylark session verification [message #53819 is a reply to message #53804] Tue, 05 May 2020 18:27 Go to previous messageGo to next message
deep is currently offline  deep
Messages: 221
Registered: July 2011
Location: Bangalore
Experienced Member
Hi Xemuth,

Xemuth wrote on Sun, 03 May 2020 05:58

http.SessionSet("RIGHT", AsString(us->GetRight())); //Set Right of user
http.SessionSet("USERNAME", us->GetLogin()); //Set username of user


I think you should use only sessionid. And should get username and user rights from server for every request based on sessionid.

Do not set it ( username and rights ) as a part of http session params. This is my suggestion.


Warm Regards

Deepak
Re: Skylark session verification [message #53822 is a reply to message #53819] Wed, 06 May 2020 00:31 Go to previous messageGo to next message
Xemuth is currently offline  Xemuth
Messages: 189
Registered: August 2018
Location: France
Experienced Member
Hello Deep,

I will follow it, thanks


Re: Skylark session verification [message #54090 is a reply to message #53804] Sun, 31 May 2020 10:30 Go to previous message
deep is currently offline  deep
Messages: 221
Registered: July 2011
Location: Bangalore
Experienced Member
Xemuth

I think what you were doing was okay. What gets transmitted is only session id.
Every thing else is stored at server end.

You can use anything to store in session. Skylark will retrieve it from server side local storage.

I checked this with couple of examples.



Warm Regards

Deepak

[Updated on: Sun, 31 May 2020 10:31]

Report message to a moderator

Previous Topic: ASyncWork/CoWork Cancel() method leads to deadlock (when used with GuiLock)
Goto Forum:
  


Current Time: Wed Jul 15 03:06:50 CEST 2020

Total time taken to generate the page: 0.02143 seconds