Solved

Cookies and passwords

Posted on 1998-07-14
12
254 Views
Last Modified: 2012-05-04
How can I use standalone cgis to access a website? I read that it can be done with cookies, but I couldn't understand the idea and I don't found the way to send and retrieve cookies with my cgi. I'm working with delphi c/s without any third-party tool.
0
Comment
Question by:speaker
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:d003303
Comment Utility
Yo,
to set cookies you have to include an additional header entry in the reply. This entry is
Set-cookie: <name>=<value>
where name is the name of the variable in the cookie, value its value. You may set several cookies at a time.

The browser now sends back the cookie(s) at all following requests to the site that set the cookie. You can get the values fromout your CGI environment.

Slash/d003303
0
 
LVL 4

Expert Comment

by:d003303
Comment Utility
Hum, any comment about the rejection ?

Slash/d003303
0
 

Author Comment

by:speaker
Comment Utility
Sorry, Slash/d003303. I do not want to reject the answer, i am just understanding the way of doing things within EE. The problem is that I am just a begginner with cgis and your answer cannot help me. I have a lot of questions. How can i read a password and encript it in some way from the cliente to my cgi and then send a cookie? How can i send that cookie? How can i read that cookie in each page for testing that the password is correct?
Again d003303, i don't want to reject your answer but i couldn't accept it, i need a little more. Sorry again,

Speaker
0
 
LVL 4

Expert Comment

by:d003303
Comment Utility
No prob. It's just if you don't comment why you reject, it is hardly possible to help you further. Anyway, first thing to know is if you are using Delphi c/s 3 ? In version 3 there is native CGI, ISAPI and NSAPI support. In all versions below 3.0 you will have to do CGI handling "by hand".

Slash/d003303
0
 

Author Comment

by:speaker
Comment Utility
Iam using delphi 3.0 Client/Server version.
0
 

Author Comment

by:speaker
Comment Utility
Adjusted points to 98
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 4

Expert Comment

by:d003303
Comment Utility
OK, first a few basic things. HTTP is a loose coupled protocol, i.e. for one request you get one reply, that's it. The HTTP server does not carry any context to the client. For authorizations, you need a context. There are several possibilities to achieve this.
The first one is server-authorization (like here at EE). You are prompted for a user/password, and the browser sends this authorization in every request to that server.
The second one is to keep a program running that handles the client contexts. You log in through a web page and start a CGI. The CGI contacts the context app to verify the login, gets back a session handle and stores this handle in a cookie on the client. On all subsequent calls, this cookie is read by the CGI and transfered to the context app wich processes the request.
The second possibility has a lot of advantages, but it is much more difficult to code. You can track the state of the user because you have access to the opened sessions identified by the cookie. So you will not have to store the state in hidden form fields etc. You can time out a connection after a certain period of time. In General, you can set a web frontend onto any tight coupled or context dependant protocol.

Now, what do you need then ?

Slash/d003303
0
 

Author Comment

by:speaker
Comment Utility
Well, the second option is what fit best with my objetives.
I am thinking on using a table with user/password data.
The user has to login in a page and then submit the user/pw entries.
How can I encrypt the pw from the client to the server the first time he log in the page in that session?
The session handle is something that I create with some meaning for me or what is it?

0
 
LVL 4

Expert Comment

by:d003303
Comment Utility
Encrypting the password in a safe way can only be done via a Java applet or an ActiveX control. If you use a JavaScript function, you could use encryption based on a public key.
A session handle is a unique identifier to a session. You could create new handles by e.g. incrementing a number, random numbers with a check over existing session handles etc.
For safety reasons it would be necessary to change the session handle after each request. Otherwise some hacker could easily hook into a running session without logging in.

Questions?
0
 

Author Comment

by:speaker
Comment Utility
Two more questions:
1) Can the javascript code be hide inside my html code?
and finally:
2) How can I accept your answer?

Thanks you!!!!
Speaker
0
 
LVL 4

Accepted Solution

by:
d003303 earned 90 total points
Comment Utility
1) No, the only possibility is to put the code into an external .js file. But the location of this file is seen in the HTML source, and so anybody could download it by knowing its location.
But Encryption based on public keys (like PGP) do not rely on hiding anything on the client side, that's the good thing ! If one knows the algorithm AND the public key, he cannot decrypt anything. For decryprion you need the private key, wich resists on the server. This key can be well protected in code/resources/secured files/secured registry keys.
2) Now you can ;-)

Slash/d003303
0
 

Author Comment

by:speaker
Comment Utility
Now yes, you answer my question and more. Thanks you for your help!!
Speaker
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now