• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Cookies and passwords

How can I use standalone cgis to access a website? I read that it can be done with cookies, but I couldn't understand the idea and I don't found the way to send and retrieve cookies with my cgi. I'm working with delphi c/s without any third-party tool.
0
speaker
Asked:
speaker
  • 6
  • 6
1 Solution
 
d003303Commented:
Yo,
to set cookies you have to include an additional header entry in the reply. This entry is
Set-cookie: <name>=<value>
where name is the name of the variable in the cookie, value its value. You may set several cookies at a time.

The browser now sends back the cookie(s) at all following requests to the site that set the cookie. You can get the values fromout your CGI environment.

Slash/d003303
0
 
d003303Commented:
Hum, any comment about the rejection ?

Slash/d003303
0
 
speakerAuthor Commented:
Sorry, Slash/d003303. I do not want to reject the answer, i am just understanding the way of doing things within EE. The problem is that I am just a begginner with cgis and your answer cannot help me. I have a lot of questions. How can i read a password and encript it in some way from the cliente to my cgi and then send a cookie? How can i send that cookie? How can i read that cookie in each page for testing that the password is correct?
Again d003303, i don't want to reject your answer but i couldn't accept it, i need a little more. Sorry again,

Speaker
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
d003303Commented:
No prob. It's just if you don't comment why you reject, it is hardly possible to help you further. Anyway, first thing to know is if you are using Delphi c/s 3 ? In version 3 there is native CGI, ISAPI and NSAPI support. In all versions below 3.0 you will have to do CGI handling "by hand".

Slash/d003303
0
 
speakerAuthor Commented:
Iam using delphi 3.0 Client/Server version.
0
 
speakerAuthor Commented:
Adjusted points to 98
0
 
d003303Commented:
OK, first a few basic things. HTTP is a loose coupled protocol, i.e. for one request you get one reply, that's it. The HTTP server does not carry any context to the client. For authorizations, you need a context. There are several possibilities to achieve this.
The first one is server-authorization (like here at EE). You are prompted for a user/password, and the browser sends this authorization in every request to that server.
The second one is to keep a program running that handles the client contexts. You log in through a web page and start a CGI. The CGI contacts the context app to verify the login, gets back a session handle and stores this handle in a cookie on the client. On all subsequent calls, this cookie is read by the CGI and transfered to the context app wich processes the request.
The second possibility has a lot of advantages, but it is much more difficult to code. You can track the state of the user because you have access to the opened sessions identified by the cookie. So you will not have to store the state in hidden form fields etc. You can time out a connection after a certain period of time. In General, you can set a web frontend onto any tight coupled or context dependant protocol.

Now, what do you need then ?

Slash/d003303
0
 
speakerAuthor Commented:
Well, the second option is what fit best with my objetives.
I am thinking on using a table with user/password data.
The user has to login in a page and then submit the user/pw entries.
How can I encrypt the pw from the client to the server the first time he log in the page in that session?
The session handle is something that I create with some meaning for me or what is it?

0
 
d003303Commented:
Encrypting the password in a safe way can only be done via a Java applet or an ActiveX control. If you use a JavaScript function, you could use encryption based on a public key.
A session handle is a unique identifier to a session. You could create new handles by e.g. incrementing a number, random numbers with a check over existing session handles etc.
For safety reasons it would be necessary to change the session handle after each request. Otherwise some hacker could easily hook into a running session without logging in.

Questions?
0
 
speakerAuthor Commented:
Two more questions:
1) Can the javascript code be hide inside my html code?
and finally:
2) How can I accept your answer?

Thanks you!!!!
Speaker
0
 
d003303Commented:
1) No, the only possibility is to put the code into an external .js file. But the location of this file is seen in the HTML source, and so anybody could download it by knowing its location.
But Encryption based on public keys (like PGP) do not rely on hiding anything on the client side, that's the good thing ! If one knows the algorithm AND the public key, he cannot decrypt anything. For decryprion you need the private key, wich resists on the server. This key can be well protected in code/resources/secured files/secured registry keys.
2) Now you can ;-)

Slash/d003303
0
 
speakerAuthor Commented:
Now yes, you answer my question and more. Thanks you for your help!!
Speaker
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now