Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

Cookies and passwords

How can I use standalone cgis to access a website? I read that it can be done with cookies, but I couldn't understand the idea and I don't found the way to send and retrieve cookies with my cgi. I'm working with delphi c/s without any third-party tool.
0
speaker
Asked:
speaker
  • 6
  • 6
1 Solution
 
d003303Commented:
Yo,
to set cookies you have to include an additional header entry in the reply. This entry is
Set-cookie: <name>=<value>
where name is the name of the variable in the cookie, value its value. You may set several cookies at a time.

The browser now sends back the cookie(s) at all following requests to the site that set the cookie. You can get the values fromout your CGI environment.

Slash/d003303
0
 
d003303Commented:
Hum, any comment about the rejection ?

Slash/d003303
0
 
speakerAuthor Commented:
Sorry, Slash/d003303. I do not want to reject the answer, i am just understanding the way of doing things within EE. The problem is that I am just a begginner with cgis and your answer cannot help me. I have a lot of questions. How can i read a password and encript it in some way from the cliente to my cgi and then send a cookie? How can i send that cookie? How can i read that cookie in each page for testing that the password is correct?
Again d003303, i don't want to reject your answer but i couldn't accept it, i need a little more. Sorry again,

Speaker
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
d003303Commented:
No prob. It's just if you don't comment why you reject, it is hardly possible to help you further. Anyway, first thing to know is if you are using Delphi c/s 3 ? In version 3 there is native CGI, ISAPI and NSAPI support. In all versions below 3.0 you will have to do CGI handling "by hand".

Slash/d003303
0
 
speakerAuthor Commented:
Iam using delphi 3.0 Client/Server version.
0
 
speakerAuthor Commented:
Adjusted points to 98
0
 
d003303Commented:
OK, first a few basic things. HTTP is a loose coupled protocol, i.e. for one request you get one reply, that's it. The HTTP server does not carry any context to the client. For authorizations, you need a context. There are several possibilities to achieve this.
The first one is server-authorization (like here at EE). You are prompted for a user/password, and the browser sends this authorization in every request to that server.
The second one is to keep a program running that handles the client contexts. You log in through a web page and start a CGI. The CGI contacts the context app to verify the login, gets back a session handle and stores this handle in a cookie on the client. On all subsequent calls, this cookie is read by the CGI and transfered to the context app wich processes the request.
The second possibility has a lot of advantages, but it is much more difficult to code. You can track the state of the user because you have access to the opened sessions identified by the cookie. So you will not have to store the state in hidden form fields etc. You can time out a connection after a certain period of time. In General, you can set a web frontend onto any tight coupled or context dependant protocol.

Now, what do you need then ?

Slash/d003303
0
 
speakerAuthor Commented:
Well, the second option is what fit best with my objetives.
I am thinking on using a table with user/password data.
The user has to login in a page and then submit the user/pw entries.
How can I encrypt the pw from the client to the server the first time he log in the page in that session?
The session handle is something that I create with some meaning for me or what is it?

0
 
d003303Commented:
Encrypting the password in a safe way can only be done via a Java applet or an ActiveX control. If you use a JavaScript function, you could use encryption based on a public key.
A session handle is a unique identifier to a session. You could create new handles by e.g. incrementing a number, random numbers with a check over existing session handles etc.
For safety reasons it would be necessary to change the session handle after each request. Otherwise some hacker could easily hook into a running session without logging in.

Questions?
0
 
speakerAuthor Commented:
Two more questions:
1) Can the javascript code be hide inside my html code?
and finally:
2) How can I accept your answer?

Thanks you!!!!
Speaker
0
 
d003303Commented:
1) No, the only possibility is to put the code into an external .js file. But the location of this file is seen in the HTML source, and so anybody could download it by knowing its location.
But Encryption based on public keys (like PGP) do not rely on hiding anything on the client side, that's the good thing ! If one knows the algorithm AND the public key, he cannot decrypt anything. For decryprion you need the private key, wich resists on the server. This key can be well protected in code/resources/secured files/secured registry keys.
2) Now you can ;-)

Slash/d003303
0
 
speakerAuthor Commented:
Now yes, you answer my question and more. Thanks you for your help!!
Speaker
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now