Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (5)

Resolved Remembering user's credentials

  1. How-to
0
Votes
Undo
  1. Miguel Alzate
    Miguel Alzate
  2. PowerServer 2020 or older (Obsolete)
  3. Thursday, 6 August 2020 12:38 PM UTC

Hi everybody,

Several customers have asked me to implement the functionality that the system remembers (that is, stores) the user's credentials so that the user does not have to enter them at each login of the web application. I understand that this can be done through the use of cookies. What options do PowerBuilder and/or Powerserver provide for this topic?

Open new tab in same browser instance
Line-breaks in tooltips don't work for Web
Accepted Answer
Miguel Leeuwe
Miguel Leeuwe Accepted Answer Pending Moderation
  1. Thursday, 6 August 2020 12:51 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # Permalink

Hi Miguel,

 

For PB we use the windows registry.

For PS I guess you could record the "connecting IP address+Computername" and grab the username in a table in the Database (or write your own cookie somewhere on the user's pc).

Before doing any login, you connect to the db with a "special user" which has only access to the table with IP addresses +computername field and the usernames field. Get the username, disconnect the "special user" and show the name in the login window.

I wouldn't recommend recording passwords.

 

regards,

MiguelL

Comment
Miguel Alzate
  1. Miguel Alzate
  2. Thursday, 3 September 2020 23:56 PM UTC
Hello, Miguel,



I followed your recommendations and have already implemented the required functionality. Thank you, and everyone, very much!
  1. Helpful
There are no comments made yet.
Responses (5)
Marco Meoni
Marco Meoni Accepted Answer Pending Moderation
  1. Tuesday, 11 August 2020 16:44 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 1

Hello everybody,

you should not store user's pwd on local machine. I understand that you can encrypt it and save to local INI, but it is still a security violation.

Traditionally the remember-me works using a cookie associated to the user in the DB. When the user goes back to the webapp, the browser sends the cookie and the server finds which user has it in the DB. But there is not direct API for handling cookies in PB/PS.

Luckily, we can use the more modern approach based on JWT. From SnapDevelop write a C# Web API that generates a JWT based on valid usr/pwd. The JWT can be stored locally and passed back and forth using RESTclient and HTTPclient objects. Here the how-to:

https://docs.appeon.com/snapdevelop2019/Secure_a_Web_API_with_JWT_Token/index.html

Best,

.m

 
Comment
Miguel Alzate
  1. Miguel Alzate
  2. Friday, 4 September 2020 19:13 PM UTC
Oh, Marco. I hadn't read your post so far. I will try your suggestions to improve the solution. Thanks for participating.
  1. Helpful
There are no comments made yet.
Miguel Alzate
Miguel Alzate Accepted Answer Pending Moderation
  1. Monday, 10 August 2020 12:33 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 2

Thanks all for replying. I will check the suggested solutions and let you know about results.

Comment
There are no comments made yet.
Chris Pollach @Appeon
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Thursday, 6 August 2020 14:44 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 3

Hi Miguel;

   I do this in my STD framework. It uses a built in one-way (mandatory for secure passwords) encryption mechanism written in pure PowerScript to save the user's credentials in an INI file. I have used this approach for almost 2 decades and it works in Native PB and PS IWA, Web & Mobile. You can see this feature in action in the OrderEntry "demo" App, as follows:

https://sourceforge.net/projects/stdfndclass/files/Applications/PowerBuilder/OrderEntry

  Note that the framework's encryption feature is a global function. So feel free to grab it for your own App's use. However the technique is generic, so you could replace the GF with the newer PB's built-in encryption object class method(s) if you like.

HTH

Regards ... Chris

Comment
Load more comments
mike S
  1. mike S
  2. Sunday, 9 August 2020 17:38 PM UTC
indirect is one of a few 'hidden' PB features that are not officially supported. So you would need to test this with EVERY SINGLE RELEASE including patch updates. appeon should add this a supported feature, or at least comment on it in the help.
  1. Helpful
Chris Pollach @Appeon
  1. Chris Pollach @Appeon
  2. Sunday, 9 August 2020 20:08 PM UTC
FWIW: That could easily flip over to an unsupported feature too. I agree, we would need to have Engineering review that feature & decide one way or another.
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Tuesday, 11 August 2020 08:42 AM UTC
True, like the ."__get_attribute()" function for which I did a request to make it a documented feature quite some time ago.

I'm not alone:

https://community.appeon.com/index.php/qna/q-a/pb-internal-function-access

https://community.appeon.com/index.php/qna/q-a/answered-how-to-dynamically-create-a-column-dwobject

  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Thursday, 6 August 2020 13:49 PM UTC
  2. PowerServer 2020 or older (Obsolete)
  3. # 4

I don’t think it is secure to save the password to the machine.  But if you are not concerned, one option is to write to an INI file.  

Comment
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Tuesday, 11 August 2020 08:44 AM UTC
I agree. So what is a good solution nowadays? Would AD still be a good solution?

Do you have any links?

TIA,

MiguelL
  1. Helpful
Armeen Mazda @Appeon
  1. Armeen Mazda @Appeon
  2. Tuesday, 11 August 2020 15:06 PM UTC
From some of our customers I have been seeing change to OpenID Connect, which is based on OAuth2.0 and token technology.
  1. Helpful
Miguel Leeuwe
  1. Miguel Leeuwe
  2. Wednesday, 12 August 2020 08:24 AM UTC
Thank you Armeen, I'll look into that.
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.