Solved

Cookies and passwords

Posted on 1998-07-14
12
261 Views
Last Modified: 2012-05-04
How can I use standalone cgis to access a website? I read that it can be done with cookies, but I couldn't understand the idea and I don't found the way to send and retrieve cookies with my cgi. I'm working with delphi c/s without any third-party tool.
0
Comment
Question by:speaker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:d003303
ID: 1357883
Yo,
to set cookies you have to include an additional header entry in the reply. This entry is
Set-cookie: <name>=<value>
where name is the name of the variable in the cookie, value its value. You may set several cookies at a time.

The browser now sends back the cookie(s) at all following requests to the site that set the cookie. You can get the values fromout your CGI environment.

Slash/d003303
0
 
LVL 4

Expert Comment

by:d003303
ID: 1357884
Hum, any comment about the rejection ?

Slash/d003303
0
 

Author Comment

by:speaker
ID: 1357885
Sorry, Slash/d003303. I do not want to reject the answer, i am just understanding the way of doing things within EE. The problem is that I am just a begginner with cgis and your answer cannot help me. I have a lot of questions. How can i read a password and encript it in some way from the cliente to my cgi and then send a cookie? How can i send that cookie? How can i read that cookie in each page for testing that the password is correct?
Again d003303, i don't want to reject your answer but i couldn't accept it, i need a little more. Sorry again,

Speaker
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:d003303
ID: 1357886
No prob. It's just if you don't comment why you reject, it is hardly possible to help you further. Anyway, first thing to know is if you are using Delphi c/s 3 ? In version 3 there is native CGI, ISAPI and NSAPI support. In all versions below 3.0 you will have to do CGI handling "by hand".

Slash/d003303
0
 

Author Comment

by:speaker
ID: 1357887
Iam using delphi 3.0 Client/Server version.
0
 

Author Comment

by:speaker
ID: 1357888
Adjusted points to 98
0
 
LVL 4

Expert Comment

by:d003303
ID: 1357889
OK, first a few basic things. HTTP is a loose coupled protocol, i.e. for one request you get one reply, that's it. The HTTP server does not carry any context to the client. For authorizations, you need a context. There are several possibilities to achieve this.
The first one is server-authorization (like here at EE). You are prompted for a user/password, and the browser sends this authorization in every request to that server.
The second one is to keep a program running that handles the client contexts. You log in through a web page and start a CGI. The CGI contacts the context app to verify the login, gets back a session handle and stores this handle in a cookie on the client. On all subsequent calls, this cookie is read by the CGI and transfered to the context app wich processes the request.
The second possibility has a lot of advantages, but it is much more difficult to code. You can track the state of the user because you have access to the opened sessions identified by the cookie. So you will not have to store the state in hidden form fields etc. You can time out a connection after a certain period of time. In General, you can set a web frontend onto any tight coupled or context dependant protocol.

Now, what do you need then ?

Slash/d003303
0
 

Author Comment

by:speaker
ID: 1357890
Well, the second option is what fit best with my objetives.
I am thinking on using a table with user/password data.
The user has to login in a page and then submit the user/pw entries.
How can I encrypt the pw from the client to the server the first time he log in the page in that session?
The session handle is something that I create with some meaning for me or what is it?

0
 
LVL 4

Expert Comment

by:d003303
ID: 1357891
Encrypting the password in a safe way can only be done via a Java applet or an ActiveX control. If you use a JavaScript function, you could use encryption based on a public key.
A session handle is a unique identifier to a session. You could create new handles by e.g. incrementing a number, random numbers with a check over existing session handles etc.
For safety reasons it would be necessary to change the session handle after each request. Otherwise some hacker could easily hook into a running session without logging in.

Questions?
0
 

Author Comment

by:speaker
ID: 1357892
Two more questions:
1) Can the javascript code be hide inside my html code?
and finally:
2) How can I accept your answer?

Thanks you!!!!
Speaker
0
 
LVL 4

Accepted Solution

by:
d003303 earned 90 total points
ID: 1357893
1) No, the only possibility is to put the code into an external .js file. But the location of this file is seen in the HTML source, and so anybody could download it by knowing its location.
But Encryption based on public keys (like PGP) do not rely on hiding anything on the client side, that's the good thing ! If one knows the algorithm AND the public key, he cannot decrypt anything. For decryprion you need the private key, wich resists on the server. This key can be well protected in code/resources/secured files/secured registry keys.
2) Now you can ;-)

Slash/d003303
0
 

Author Comment

by:speaker
ID: 1357894
Now yes, you answer my question and more. Thanks you for your help!!
Speaker
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delphi 2 91
delphi parse string to params 3 178
LAN or WAN ? 11 121
tidtcpserver connection lost handle 2 124
A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question