login security - Forum - Mobile - Progress Community

login security

 Forum

login security

  • Does somebody have a kind of tutorial to demonstrate how to make a login for an app that connects to a Progress server? And how to store the credentials safely, or sort of a key?

  • you can store login credentials in DB. to store password, you can use encrypt function or any encrypton algo. on login screen , invoke a service with input userID and password user entered and return true/false and then validate based on the return value. on serever side, you can match that the password entered by user is same as the password in the DB after encrypt function.

  • Yes of course, user credentials are in a DB on the server. But how do you send them to the appserver? Use https? How exactly do i implement this to export my app for native android/iphone?

  • I implemeneted this concept in my test app. on server side, i cerated a dataset dsLogin and added a method "Login" with return type logical and input parameters for username and password in its .cls file.

    i passed the username and password entered by user to this method and returned either true or false for login success or failure.

    on the client side, when user presses login buttton, i added following javascript code:

    var dsLogin = new progress.data.JSDO({

    name : 'dsLogin',

      autoFill : false});

      var cUser = Tiggzi('tEmpCode').val();

      var cPass = Tiggzi('tpassword').val();

      dsLogin.subscribe('afterInvoke', 'userLogin',onAfterInvokeuserLogin);

      dsLogin.userLogin ( {loginID : cUser, password : cPass} ); 

     

      function onAfterInvokeuserLogin (jsdo , success , request ) {

        var res = request.response;

        if (success) {

          if (res._retVal == "true"){

            // add your code for login success

          }

          else if (res._retVal == "false"){

           alert("login failed. please retry!");

          }

        else {

          if (res && res._errors &&

              res._errors.length > 0){

            var lenErrors = res._errors.length;

            for (var idxError=0; idxError

              var errorEntry = res._errors[idxError];

              var errorMsg = errorEntry._errorMsg;

              var errorNum = errorEntry._errorNum;

            }

          }

        }

      };

    }

    catch (e){

      alert(e);

    }

    hope this will help!

  • Thank you, but this kind of login I can manage already.

    But I meant the security. Your login method sends the username and password in plaintext to the server, no?

    How to make sure that they are encrypted with https?

  • Sorry.. i am just a newbie to all this stuff!

  • You're correct that the credentials will be sent in plain text unless you use SSL. However, the only thing that your client-side JavaScript code needs to do differently for SSL is use the https versions of the URIs for the service and the catalog  (including specifiyng the SSL port if it's not the default). The browser or native wrapper handles the certificates and encryption, at a lower level than your JS code. (This includes prompting the user if the browser/wrapper doesn't know about the CA that signed the server's certificate -- even in that case, your code will not be involved.)

    So --

    1. Yes, do use SSL

    2. Make sure the server is enabled for SSL

    3. In the client, just make sure your JS code is using the HTTPS URIs

    -- Wayne