Hi All,

I am currently trying to implement a "remember me" function to keep
username/password for the user. If i not wrong localstorage can be used
for this purpose.

I am using following code in the login process validation:

   if (RememberMe.SelectionState = ssSelected) then begin
   LocalStorage.Set('User', Dataset.columns['Login'].asString);
   LocalStorage.Set('Pw', Dataset.columns['Password'].asString);
   end;
   if (RememberMe.SelectionState <> ssSelected) then begin
   LocalStorage.Set('User', '');
   LocalStorage.Set('Pw', '');
   end;

And this on formshow event:

if LocalStorage.Exists('User') then UsernameEdit.text :=
Localstorage.Items['User'];
if LocalStorage.Exists('Pw') then PasswordEdit.text :=
Localstorage.Items['Pw'];

But nothing seems to be saved?

Regards,
Hüseyin

Hüseyin Aliz wrote:

> Hi All,
>
> I am currently trying to implement a "remember me" function to keep username/password for the user. If i not wrong localstorage can be used for this purpose.
>
> I am using following code in the login process validation:
>
>    if (RememberMe.SelectionState = ssSelected) then begin
>    LocalStorage.Set('User', Dataset.columns['Login'].asString);
>    LocalStorage.Set('Pw', Dataset.columns['Password'].asString);
>    end;
>    if (RememberMe.SelectionState <> ssSelected) then begin
>    LocalStorage.Set('User', '');
>    LocalStorage.Set('Pw', '');
>    end;
>
> And this on formshow event:
>
> if LocalStorage.Exists('User') then UsernameEdit.text := Localstorage.Items['User'];
> if LocalStorage.Exists('Pw') then PasswordEdit.text := Localstorage.Items['Pw'];
>
> But nothing seems to be saved?
>
> Regards,
> Hüseyin

That all looks right to me. Note there is a .Clear('User') which should help for not storing.

Have a look in the browser debug and you should see them. I think for passwords you should "munge" them a little to stop them being immediately visible to anyone digging.

--

Matthew Jones

> But nothing seems to be saved?

As Matthew stated, your code seems to be correct.

I don't know the context of your code, but I would check first
(Showmessage) if Dataset.columns['Login'].asString and
Dataset.columns['Password'].asString contain values.

Uli

Uli Becker wrote:

>As Matthew stated, your code seems to be correct.

Maybe your browser clears the cache on exit? This is an option in Exporer, maybe it is set in yours.

Ronald

Hi All,

Thanks all, the code was ok, as you all pointed out, it began to work
after i moved the localstorage.set section to another place where
username/pw was set correctly from the dataset.

Regards,

Hüseyin



Den 05-05-2017 kl. 22:53 skrev Ronald:
> Uli Becker wrote:
>
>> As Matthew stated, your code seems to be correct.
> Maybe your browser clears the cache on exit? This is an option in Exporer, maybe it is set in yours.
>
> Ronald
>

Matthew,

Can you please give some examples how to "munge" the password?

Thanks in advance.

Regards,

Hüseyin


Den 05-05-2017 kl. 15:20 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> Hi All,
>>
>> I am currently trying to implement a "remember me" function to keep username/password for the user. If i not wrong localstorage can be used for this purpose.
>>
>> I am using following code in the login process validation:
>>
>>     if (RememberMe.SelectionState = ssSelected) then begin
>>     LocalStorage.Set('User', Dataset.columns['Login'].asString);
>>     LocalStorage.Set('Pw', Dataset.columns['Password'].asString);
>>     end;
>>     if (RememberMe.SelectionState <> ssSelected) then begin
>>     LocalStorage.Set('User', '');
>>     LocalStorage.Set('Pw', '');
>>     end;
>>
>> And this on formshow event:
>>
>> if LocalStorage.Exists('User') then UsernameEdit.text := Localstorage.Items['User'];
>> if LocalStorage.Exists('Pw') then PasswordEdit.text := Localstorage.Items['Pw'];
>>
>> But nothing seems to be saved?
>>
>> Regards,
>> Hüseyin
> That all looks right to me. Note there is a .Clear('User') which should help for not storing.
>
> Have a look in the browser debug and you should see them. I think for passwords you should "munge" them a little to stop them being immediately visible to anyone digging.
>

<<
I am currently trying to implement a "remember me" function to keep
username/password for the user. If i not wrong localstorage can be used
for this purpose.
>>

I really suggest you do not store the password as this is a vulnerability waiting to be exploited.

Depending on the usage either compute a hash you can store and or if it's used to authenticate against the backend then have your server give you a session ID that you can use to auto-authenticate and that that be easily expired or so as needed

Raul

Hüseyin Aliz wrote:

> Can you please give some examples how to "munge" the password?

I have my methods, and given that this is "security by obscurity" and that is generally not actually "security", I'd rather not give away instant details. But if you just run through the password and add 1 to each letter, so password becomes qbttxpe then that is step one. If you see qbttxpe you don't immediately know the password. Add the offset to each character to make the ss not be the same letter. You have to watch that you aren't going to go out of the normal character ranges. You might also take steps to make all data a specific length, so that "123" is not "abc" but is "abckauiosy". Obviously you need to be able to undo that.

Like I say, this is not designed to be secure - it cannot be as they have access to the code. It is designed to stop someone opening the debug facilities of the browser and just "seeing" the password.

--

Matthew Jones

Raul wrote:

> I really suggest you do not store the password as this is a vulnerability waiting to be exploited.

It is a worthwhile consideration that you point out. Me, I have a checkbox that allows the user to choose. And a label to not do it on public computers. For some it is a great convenience to do this on their own computer.

--

Matthew Jones

Raul/Matthew,

You are right about saving the password might not be a good idea, even
though phone's can be more personal than pc's

Regards,

Hüseyin


Den 08/05/2017 kl. 09.54 skrev Matthew Jones:
> Raul wrote:
>
>> I really suggest you do not store the password as this is a vulnerability waiting to be exploited.
> It is a worthwhile consideration that you point out. Me, I have a checkbox that allows the user to choose. And a label to not do it on public computers. For some it is a great convenience to do this on their own computer.
>