• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

webbroker, using cookies to verify page requests

Hi there,

I've been getting into delphi 6 webbroker and it's a lot fun. However, cookies are a little beyond me right now. I understand what they can but not how to do them.

What i've got is a user that logs in with a password and login name. The site handles orders for products so i want to make sure that the page requests being sent actually come from the person who has logged in. I've seen an example from Motaz on keeping the cookie for a period of time to remember the login details (like a "remember me" i guess). Is it along the same lines?

Cheers

Neil
0
NeilLewis
Asked:
NeilLewis
1 Solution
 
ginsonicCommented:
listening
0
 
NeilLewisAuthor Commented:
I've been trying request.RemoteAddr and global variables instead but need to use cookies i know.

eg, in the web module create i say

strUserAddress := request.RemoteAddr;

with strUserAddress being a global variable. Then in a function ...

procedure TWebModule1.CheckIPAddress();
var
    strCompareIPAddress : string;
    textcompare : integer;
begin

strCompareIPAddress := request.RemoteAddr;
textcompare := comparestr(strCompareIPAddress, strIPAddress);

if textcompare <> 0 then //the strings don't match
begin
   response.Content := 'Address does not match';
else
  ;//do nothing (carry on)
end;


And that function is put where you want to check where the page requests are coming from. BUT I WANT TO USE COOKIES!

Neil
0
 
RayNorrishCommented:
Your approach is wrong. You should not use request.RemoteAddr for anything critical, as this could be a proxy address, and does not indicate a unique client.

Here is the approach I use:

Have a user database table that contains at least:

User, Password, Session ID

Collect the user and password at login, and generate a session ID (some random alphanumeric).

Set the sessionID as your cookie. You must verify this session ID for all future actions of that session.

This has at least two benefits - one is that you don`t continually keep passing a usrname, password to maintain state, but a "useless" sessionID that is only valid for that session, and the other is that you should make this cookie "session only" ie. set it's expiration to 0 or -1 so that it cannot be reused.

I have written my own session management around this model, but there are several 3rd party options available.
A search for MDWeb by Mark Brittingham would be useful, and especially a visit to Shiv Kumar's tutorials (www.matlus.com) should totally enlighten you :)
0
 
pnh73Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Accept Answer from RayNorrish

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Paul (pnh73)
EE Cleanup Volunteer
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now