I want to add a "Remember Me" check box to the login form of my WPF App. What's the best way to do this?
Currently the app logs in via a websevice call that returns an authenticated token that it uses for subsequent calls. Should I simply two-way encrypt and store this token somewhere in the files system?
You could also store it in Isolated Storage or create a User setting in your application's Settings.
Edit: Oren's suggestion of using DPAPI to protect information is well and good, but it doesn't store anything:
An important point to remember is that DPAPI merely applies cryptographic protection to the data. It does not store any of the protected data; therefore applications calling DPAPI must implement their own storage of the protected data.
Use the DPAPI. See also How to store passwords in Winforms application?.
I googled another solution:
Right click on your Project -> Properties -> Setting.
Add your variable which you need to store on client machine.
For example:
Name Type Scope Value
UserName String User
Password String User
Then, for example, you want to save preference on login button click:
If(CheckboxRemember.checked)
{
YourProjectNamespace.Properties.Settings.Default.UserName = TextBoxUserName.Text;
YourProjectNamespace.Properties.Settings.Default.Password = TextPassword.Text;
YourProjectNamespace.Properties.Settings.Default.Save();
}
On the same way, access these value on window load or application startup:
TextBoxUserName.Text = YourProjectNamespace.Properties.Settings.Default.UserName;
TextPassword.Text = YourProjectNamespace.Properties.Settings.Default.Password;
Related
I have a login page,
when a user login for the first time it should show the terms and agreement popup with accept button.
if user is accepted it for the first time . when user login for next time popup should not come.
i want to use local storage for this function no db changes allowed.
so what i have to save in localstorage. the scenario is complex when this has to work for diffrent users.
in angularjs i m using ngstorage plugin.
i can save data into local storage like
$localStorage.data="username";
in this case how i have to save for diffrent diffrent user?
You can have a key value pair, where key indicates the username and value indicate whether it has been loaded or not and push them into an array.
Something like this,
var testObj = { 'John': true };
// Put the object into storage
localStorage.setItem('John', JSON.stringify(testObject));
Similarly for all the users.
Then retrieved by using username,
var retrievedObject = localStorage.getItem('John');
console.log('User has already loaded: ', JSON.parse(John));
DEMO APP USING angular-local-storage
The msdn documentation on PasswordBox.Password says:
When you get the Password property value, you expose the password as plain text in memory. To avoid this potential security risk, use the SecurePassword property to get the password as a SecureString.
So I send SecurePassword to my view model on PasswordChanged event, expecting everything to be secure, but if I inspect my application with Snoop, in PasswordBox's Password property I see the password I entered in plain text. Does that not kill the whole purpose of using SecurePassword? Is there anything else I should do here to protect the passwords?
This is my humble opinion.
Snoop injects its code in running application. So, it's basically a hacking tool. A very easy-to-use hacking tool, which works only with your GUI.
This is why simply changing visibility of any item to hide some data from user is a poor secutity desicion. Everything about restrictions, access and security shouldn't be handled at UI layer. There are ways on How to Snoop proof your wpf application? but main point of answers there is that you have to design your application in the way, which doesn't allow snoop to violate anything. Validate everything on the server, for example.
Back to your question:
There are two scenarios. First one is: user creates a password. I believe this is not a concern, if a user or user's malware will see the password at this moment. Then you receive and store secured string. And clear user's password.
Second scenario: you display a stored password to user. The trick is - you don't display it. You know a length of a password, so you can display just disabled textbox with ****. And if a user wants to change a password - you give him actual passwordboxes, which he has to fill with old password and new one and we are back to scenario #1.
The silver lining is:
When a user inputs a password it's not a big deal, that it is lying in clear text somewhere in a memory, since a user knows what he've typed and malware can track keys pressed.
After you've stored the password you never ever give it back to user
Update: This is a source code for Password property of a Password box
public string Password
{
[SecurityCritical]
get
{
string password;
using (SecureString securePassword = this.SecurePassword)
{
IntPtr ptr = System.Runtime.InteropServices.Marshal.SecureStringToBSTR(securePassword);
try
{
unsafe
{
password = new string((char*)ptr);
}
}
finally
{
System.Runtime.InteropServices.Marshal.ZeroFreeBSTR(ptr);
}
}
return password;
}
So, I guess what MSDN is saying, is that whenever you access Password property, by calling it in code (or viewing it in VS while debugging, or viewing it it Snoop) you call it's get method, which decrypts SecuredString to plain text, what exposes it to memory. If you don't call Password property and don't call it by inspecting in software tools, then password doesn't show up in memory in plain text.
I want to create a training path for new users accessing my site. This training path must display info bubbles showing what you can do on every page, but only the first time you access it.
So, for example, if a user enters a page where there's an edit button an info box should appear next to the edit button telling the user that he can edit that page.
I will create the script myself, I just want to know what's the best method to check if the user has already seen that box or not. I was thinking about storing in database a boolean value for each info box which will be set to true if the user has seen the box. To save some queries from the DB I think I can also store the same values in localStorage or in Cookies.
What is the best practice for creating user training paths for a website?
The way I suggest is to store user id (ip or username ? ) and a bit value for each bubble like you say.
PS: for your script you can use this:
http://www.maxvergelli.com/jquery-bubble-popup/documentation/
Jérôme
On this winform application I am writing, I want to secure one menu item from most users. It runs a month-end and cannot be easily backed out if accidentally run. The menu option opens up a window to prompt the user for some information before processing. I don't care where exactly I do the check, but I want to be sure only certain users can run this function.
A Google search (on my question title above) didn't turn up anything obvious. Can anyone point me in a direction to pick up who is signed into Windows and how to check if they are authorized?
This page has some code for getting user details and checking them.
This code:
public string GetloggedinUserName()
{
System.Security.Principal.WindowsIdentity currentUser =
System.Security.Principal.WindowsIdentity.GetCurrent();
return currentUser.Name;
}
returns the current user name. You could use this to check against your list of authorised users.
More details on the WindowsIdentityclass can be found here.
It has a Groups property which you could use to check for membership of a group rather than having to check individual users.
i am planing to set a permission on my event index page, which just allow certain user to view which had set when i add the event. After user click into my event, the event controller will 1st check the user id and check the event database which control the user can see which event in his calendar. The permission is added when user create a event and share to other user. Beside, how can i find the current user id to compare with my event database which is the accurate 1?
any suggestion for me to did this function?
i need to know the code and concept how i get the current user id to compare with all the event database, and allow the current user see the certain event.
thanks alot for your information.
The recommended approach for getting logged in user data is via the AuthComponent itself:
// in any controller
$userId = $this->Auth->user('id');
See Accessing the logged in user in the Auth section of the CakePHP Book.
Use sessions to save and read data for a user between pages.
Within Controllers:
// store a user id in the session
$this->Session->write('User.id', $userId);
// read a user id from the session
$userId = $this->Session->read('User.id');
Within Views:
// read a user id from the session
$userId = $session->read('User.id');
You can use any key you want if you prefer something over "User.id". I simply use this since it is what the AuthComponent defaults to if you are using that.
What you're looking for are ACLs (Access Control Lists). There's an AclComponent built into Cake which you should look into. It works together with the AuthComponent, which will hold the user id. It's a little complicated at first, but worth the hassle.
Also, for a simple approach, have a look at the model and controller settings of AuthComponent::authorize. This allows you to define an isAuthorized() method in your controller or model (your choice) which will store logic that determines access (should return true if access allowed and false if denied).
to see sessions, queries, data, and everything else that is passed from page to page in cake use this amazing little helper http://thechaw.com/debug_kit