Logins How To's

From Pengower
Jump to: navigation, search

Learn how to use different login techniques and processes.

How to securely get a User ID in a login page

When requesting a user id and a password from a user in a Public View, there are a couple of things you need to do to safe-guard against SQL injection and similar things. Firstly, never do SQL like this Get user where uid = xxx AND pwd = yyy. This is too open to SQL injection where the end user puts something like t OR 1=1 in as their password. Instead, always use SQL to retrieve the user record just on the uid and then separately compare the password.

In addition, in order to avoid the SQL choking, you should strip out some characters before you create the SQL:

Set uid = Do Request Field Params Name = "username"
Set str = "" + uid
 
Set repl = "'"
Set with = ""
Set tmpStr = Do Replace String Params String = str, Replace = repl, With = with
Set str = tmpStr
 
Set repl = DBLQTE
Set with = ""
Set tmpStr = Do Replace String Params String = str, Replace = repl, With = with
Set str = tmpStr
 
Set repl = " "
Set with = ""
Set tmpStr = Do Replace String Params String = str, Replace = repl, With = with
Set str = tmpStr
 
Set username = "" + str.ToLower
Set pwd = Do Request Field Params Name = "password"
 
If ((uid = "") OR (pwd = ""))
    Set Msg = "Please enter your username and password"
    Set args = {}
    Add Msg To args
    Set out = Do Run Script Params Script Name = "fn Employee Login Open", Args = args
    Output = out[3]
    Return_Ok
 
EndIf
 
Set sql = "((LOWER(Email address) = '" + username + "') OR (LOWER(Alternate email) = '" + username + "'))"
Set empArr = Get "Employee" Where sql  //Try to find by email address


How to Auto Login

This script snippet shows you how to create a URL that can be used to automatically log a user in.

Building the url for the email:


Set link = Do View URL Params Name = "cio_mobile"
Set ref = "" + approver["Reference"]
Set enc = Do Encrypt String Params String = ref
Set ipref = "" + ip["Reference"]
Set encip = Do Encrypt String Params String = ipref
Set fullLink = link + "&ident=" + enc + "&ip=" + encip
 
//We use the 'Encrypt String' parameter just for a bit of added security.

Accessing query string


Set tmp = Do Query String Element Params Key = "ident"
Set ident = "" + tmp
If ident = ""
   Output = "<b>ERROR IDENTIFYING USER</b>"
   Return_Ok
EndIf
Set ref = Do Decrypt String Params String = ident
Set arr = Get "Staff Member" Where Reference = ref
If arr.Count != 1
   Output = "<b>ERROR IDENTIFYING USER (2)</b>"
   Return_Ok
EndIf

View launch and login etc.

The idea for using this approach to log into a view is that you should initially launch a pseudo public view to request the user credentials - just open a custom form or use some custom html. From there you can then use scripted logon actions to get to the correct view..

Set rep = Do View Login Params View = "Secure View", Username = un, Password = pwd
If (rep != "Ok")
   Output = "Login Error"
   Return_Ok
EndIf


How to show a Password Strength Indicator

Password strength indicator shows users how strong and unique their password selection is. However, there is no relation whatsoever between the strength and the adherence to rules: They work completely differently and a weak password may pass the rules while a strong password may not.

How to use

This requires an application with the scriptfiles\pwdstrength folder (with contents). Just put this code in an Information field (or some custom HTML) and update the line var id = "#CHANGETHISTOTHEIDOFYOURPASSWORDFIELD"; to point to your password field. For example var id = "#123456";. If you want to play around with the styles, just remove the reference to the stylesheet and copy the contents of the stylesheet into your HTML and then play around with it.


<div id="scorebarBorder">
<div id="score">0%</div>
<div id="scorebar" style="background-position: 0pt 50%;"> </div>
</div>
<div id="complexity">Too Short</div>
 
<script type="text/javascript" src="scriptfiles/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="scriptfiles/pwdstrength/pwdmeter.js"></script>
 
<script type="text/javascript">
$(function() {
    var id = "#CHANGETHISTOTHEIDOFYOURPASSWORDFIELD";
    $(id).keyup(function() {
    var pwd=$(id).val();
    chkPass(pwd);
    });
    $(id).keyup(); //Trigger it for postback
});
</script>
 
<link type="text/css" href="scriptfiles/pwdstrength/css/pwdmeter.css" media="screen" rel="stylesheet" />