U++ forum: Welcome to the forum

Search on this site

Search in forums

Home » U++ Library support » U++ MT-multithreading and servers » Skylark session verification

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Skylark session verification [message #53804]

Sun, 03 May 2020 02:28

Xemuth
Messages: 387
Registered: August 2018
Location: France

Senior Member

Hello,

I'm currently using Skylark to developpe my own website and I have a little doubt about skylark session.

On my website, I want user authenticate themself. so Actually I'm using a form with $post_identity() to start a session.
When user send is data to be logged on, I check if he is legitimate then, if he is, I do this :

if(Data sent by user is good){
			http.NewIdentity(); //Set new session identity 
			http.SessionSet("RIGHT", AsString(us->GetRight())); //Set Right of user
			http.SessionSet("USERNAME", us->GetLogin()); //Set username of user
			http.Redirect(PrivateScreen); //Redirect to the privateScreen
		}else{
			http.Redirect(Auth); //Else redirect to authentification page
		}

On other page (like PrivateScreen) for example, I do this to ensure the user is connected :

	if( !http[".USERNAME"].ToString().IsEmpty()){
		...Process everythings
	}else{
		http.Redirect(Auth); //Else redirect to authentification page
	}

Is this way of working is safe ? should I instead, generate a special ID related to sessionID of the user, send it to cookies and comparing it every time ?

Thanks in advance

Report message to a moderator

Re: Skylark session verification [message #53811 is a reply to message #53804]

Mon, 04 May 2020 18:44

deep
Messages: 263
Registered: July 2011
Location: Bangalore

Experienced Member

I think using USERNAME in the header is not not safe. Impersonation possible.

Some explanation available here.

https://security.stackexchange.com/questions/36318/store-use rname-in-cookie-for-a-web-site

Warm Regards

Deepak

Report message to a moderator

Re: Skylark session verification [message #53812 is a reply to message #53811]

Mon, 04 May 2020 21:31

Xemuth
Messages: 387
Registered: August 2018
Location: France

Senior Member

Hello Deep,

I don't think session variable and header value are the same, from my point of view, session are only available at server. Maybe I'm wrong ?

Report message to a moderator

Re: Skylark session verification [message #53819 is a reply to message #53804]

Tue, 05 May 2020 18:27

deep
Messages: 263
Registered: July 2011
Location: Bangalore

Experienced Member

Hi Xemuth,

Xemuth wrote on Sun, 03 May 2020 05:58

http.SessionSet("RIGHT", AsString(us->GetRight())); //Set Right of user
http.SessionSet("USERNAME", us->GetLogin()); //Set username of user

I think you should use only sessionid. And should get username and user rights from server for every request based on sessionid.

Do not set it ( username and rights ) as a part of http session params. This is my suggestion.

Warm Regards

Deepak

Report message to a moderator

Re: Skylark session verification [message #53822 is a reply to message #53819]

Wed, 06 May 2020 00:31

Xemuth
Messages: 387
Registered: August 2018
Location: France

Senior Member

Hello Deep,

I will follow it, thanks

Report message to a moderator

Re: Skylark session verification [message #54090 is a reply to message #53804]

Sun, 31 May 2020 10:30

deep
Messages: 263
Registered: July 2011
Location: Bangalore

Experienced Member

Xemuth

I think what you were doing was okay. What gets transmitted is only session id.
Every thing else is stored at server end.

You can use anything to store in session. Skylark will retrieve it from server side local storage.

I checked this with couple of examples.

Warm Regards

Deepak

[Updated on: Sun, 31 May 2020 10:31]

Report message to a moderator

Previous Topic:	ASyncWork/CoWork Cancel() method leads to deadlock (when used with GuiLock)
Next Topic:	AsyncWork, IsFinished() may not be working properly

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Tue Apr 16 06:33:48 CEST 2024

Total time taken to generate the page: 0.03229 seconds