Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 5 of 5 total
Thread Logon
Mon, Apr 18 2016 6:02 AMPermanent Link

Godfrey

Ultimatesoft

Hi all

What is the best practise for a logon form?  How do you display it when the application starts.  Should it be set as
the main form.  I am looking for some pointers.

I will use a similar method to the example that ships with EWB.

Thanks
Godfrey
Mon, Apr 18 2016 6:13 AMPermanent Link

squiffy

Telemix Ltd.

Avatar

Many ways to do it I'm sure, but I have mine as the main form.
It posts the login form data to my server which returns a token that I keep in memory and send with every single request. My server manages the tokens (it's like managing my own session cookie), and will respond only with a not logged in message if you ask it to do anything without the token being valid. All my ajax events just reload the app in that case.

Seems to work for me.
Mon, Apr 18 2016 7:22 AMPermanent Link

Godfrey

Ultimatesoft

squiffy wrote:

<<Many ways to do it I'm sure, but I have mine as the main form.
It posts the login form data to my server which returns a token that I keep in memory and send with every single request. My server manages the tokens (it's like managing my own session cookie), and will respond only with a not logged in message if you ask it to do anything without the token being valid. All my ajax events just reload the app in that case.>>

What is the format of this token?

Do you store it in a global variable on client side?

How do you store and remove tokens on server side?  Do they timeout if the person does not log out and
simply closes the browser..

Thanks
Godfrey
Mon, Apr 18 2016 8:16 AMPermanent Link

Matthew Jones

Godfrey wrote:

> Hi all
>
> What is the best practise for a logon form?  How do you display it
> when the application starts.  Should it be set as the main form.  I
> am looking for some pointers.
>
> I will use a similar method to the example that ships with EWB.

As Squiffy says, many ways. The one I've tended to adopt is based on a
main form with a PanelParent panel, and onto that I parent the various
forms that the user can use to do work. This is flexible, as it means
that some forms don't need to be logged in, while others can enforce
it. Along with the server returning "unauthorised" responses to kick
back to the login, it works well. (My web shop for example allows you
to browse and put things in the basket, but when you go to pay, it asks
for the account and forces a login (and authentication).)


So my typical top menu item is like:

procedure TfrmWelcome.GotoSomewhere;
begin
   if not LoginValid then
   begin
       GotoLogin;
       exit;
   end;                          

   EnableMenuItems;
   RunStateMachineEx(CONN_SOMEWHERE);
end;


The state machine knows the state of things, and will try to log you
in, or gather information, so it can show a form, get the data for it,
and then wait for the user. But that's a detail of my code.

--

Matthew Jones
Mon, Apr 18 2016 10:07 AMPermanent Link

squiffy

Telemix Ltd.

Avatar

>> What is the format of this token?

It's a UUID generated by the server (most will have some way of generating one)

>> Do you store it in a global variable on client side?

Yes. Just in memory (ie not in local storage). Refreshing loses it. I have written a small ajax class that ensures the token always gets sent to the server.

>> How do you store and remove tokens on server side?  

I use something called B4J (www.b4x.com) - more as an experiment than a long term thing - and I am maintaining a global Map of UUIDs. It's similar to PHP's $_SESSION superglobal, but it allows me to work without browser cookies. I had a cross site issue with my set up which meant I couldn't. I would advise using cookies if possible as it's a fairly standard way to do these things.

>> Do they timeout if the person does not log out and simply closes the browser.

Yes, Just like session variables I track the last use time (and simple browser/IP info), then treat the token as invalid if any of my tests against it fail.
Image