I'm writing C++ desktop application that allows users to sign in on some web service. By technical requirements, user can check 'remember me' checkbox and after he close app and run it again, app should re-sign in with email and password user input first time.
I know that it is not safe and strongly not recommended to store passwords on disk but i have no idea how to remember user's password in safe way. Is there any best practices or advices for such case?
Note: my application is for Windows/Ubuntu/MacOS so it will be cool to know about OS-independent ways. My app is C++11/Qt5.4 based.
The way that you're supposed to implement this kind of design is to issue the user a SessionID that is stored locally, and which is used to authenticate and access their specific interface. Then, if they wish to log in again at a later time, simply use the stored SessionID, and if they wish to log in as someone else, clear the SessionID and then log them in like normal, issuing a new SessionID. That way you aren't storing sensitive information on their computer.
Related
Protecting against piracy when developing desktop applications through product keys, obfuscation, or similar client-side protections is pointless (plenty of stackoverflow posts regarding that). The only real way to prevent piracy is to create a client-server communication where important code is only on the server.
That's what I'm attempting to do with my software, require a login in order to authenticate requests to the server to process some data. Throw in an easy way to change the password and IP session tracking and it's pretty foolproof. However, now the user must enter a username and password when they want to use it, and they could enter someone else's credentials very easily.
Then thought then crossed my mind, what about embedding the username within the application when a user downloads the client software? Only a password would be required from the user's point of view, speeds things up a bit. Yes it's still possible to edit the program to someone else's username, but now it's less obvious.
So that's my question, are there any security risks or design flaws with having the username hard coded into the program? And secondly, how does one begin to implement the username embedding and C++ compilation on say... a Node js server application?
Thanks for your time.
You're missing the point of server-hosted software, and that's this:
You always have control over the server. You never have control over the client.
So when you say:
the user must enter a username and password when they want to use it, and they could enter someone else's credentials very easily
What you really mean is:
When someone enters someone else's credentials what can I do?
The answer to that is to limit or cancel access for credentials depending on access patterns. If you see suspicious access, like coming from IPs in different countries, you may want to investigate and possibly ban the account.
You're not powerless here when you control the server. Lock people out if you must.
You also don't want to embed information in the executable because legitimate owners, your customers, will want to verify they downloaded the right file based on a cryptographic hash like SHA2. If you modify each file they can't do this, and every version looks "hacked".
Instead, if you must, create some kind of encrypted access or license file that can be supplied to the server and decrypted with a key that's only stored on the server. Sure, they can share that file with someone else, but you can identify the unauthorized access and handle it accordingly.
I have an application that is run on multiple user systems, and using OAuth, allows the users to log in via Facebook, Twitter, etc. The entire point of the user logging in is to get settings and actions that the same user made while logged in on other computers, as identified by logging in with the same OAuth provider + provider user id. The application itself is written in C++ using Qt.
My question is this: how can I save the settings that a user made, and allow them to retrieve it in a secure way? I have a centralized server that I can store information using MySql tables, but I'm not sure the best way to have the user application prompt the server, and receive the data stored for that user.
Any ideas or places you could point me towards?
There are several ways I could think of with this, all have trade offs:
Generally I would store the data in mysql using some kind of string or object encryption/serialization method. I do not use Qt much but http://qt-project.org/wiki/Simple_encryption has some examples of very simple encryption that could be used.
Then the question becomes: What do you use as the key? I would go either with the key provided by OAuth for that user (which could be an issue if users de-authorize the app but still want access to this data) or some other user provided key (which is counter to using OAuth in the first place).
Another option is to go with Qt Users session http://qt-project.org/doc/qt-4.8/qtwebkit-guide-cache.html
This would maybe remove the need to encrypt since it should only be accessible within the users scope.
NOTE: Based on comments below it seems the issue is more about securing communication with the MySQL versus the data inside of MySQL. Waiting on user comments to revise my answer.
I'm writing a Facebook canvas webapp that performs a login (using urllib) to a third party website and performs actions on behalf of the user. This means I have 2 accounts; the account the user has with my webapp (via facebook) and the account the app uses to perform a login on their behalf (with user/password details provided by the user).
I obviously don't want plaintext passwords in the DB. But I also don't want the user to have to enter their password every time they perform an action. I want them to enter the password once when they sign up, and I want to encrypt the passwords, but what do I encrypt against?
Any key on the server would be available to anyone who had gained access (i.e. useless), so I was thinking of encrypting it against a value available via the Facebook API.
When the user logs in (and gives the app their access token), the app can request the value via the API and encrypt/decrypt their 3rd party password with this. Anyone with access to the server wouldn't be able to make this request without the user being logged in to the app. (This still means someone snooping on the server could get logged-in users 3rd party password, but anyone who got one-off access to the DB couldn't see passwords.) Is this wishful thinking?
You might as well encrypt it using a key on the server. If anyone gains access to your server they will have everything they need to retrieve the key even if you're getting it from Facebook.
I think the best you can do is to store the key in a location that isn't available to your webserver, but that is available to your script. At least make sure you don't store the key in the database.
Whatever you do beyond that would just be security through obscurity. The key here is to keep your server secure so that no one gains access to it.
I guess you could store the logins ONLY on the client, in some sort of local storage and do all the actions related to the third party, from the client in JS.
This of course would need some change in the architecture of your app if you tought to do all this from your server, but that would possible for sure, you can event make client JS send data to your server after it worked so you can log data from the interactions with the 3rd party.
Furthermore it has the advantage of distributing the load on the clients
I know you didn't tag the question with javascript and you seem to want a server pure solution, but It seems the best solution to me. the user keeps its data ..
Security through obscurity might be your best bet. Perhaps implement an algorithm to generate the key using something standard (like the current datetime). You can store the date in your db, and use that to generate the key using your own algorithm.
i would like to know a good software engineering way to store user preferences in a web app.
to clarify further, my app has commands that the user can choose, so
i added a button that when some commands are selected, these commands are saved as favorites somewhere on the client's machine, that way if user X logs in at anytime he can check his favorite commands and load them automatically..
how to save these commands and where? and taking into consideration that several users using the same computer should not have access to each's favorites, so i want the favorite to be saved based on userID. where and how to save them? cookies? xml? and using php or javascript is better?
thx a lot for your help:)
The best way to do this is have them log in whenever accessing your site. Then you store all of the preferences on your server and deliver them down through your UI to their browser. This will mean that it doesn't matter what browser/device they happen to be using, their settings will follow them.
I'm not sure I like the idea of modifying someone's "favorites" in their browser. I'm not sure I'd stick with a site that wanted that level of control over my browser.
Now, if you are just talking about having a page on your site that had a list of "favorites", then that's okay. Just keep it server side.
Most typical would be to store them in a database of some sort on the server side, easily accessable by the UserID. Keep in mind 'preferences' are different from 'state'. State variables are usually stored via whatever cookie mechanism you are using.
What is your web app using to hold the data on the back-end? Most likely, that is where you will want to store user preferences. Since you will already be accessing that back-end (a database, perhaps?) to authenticate the user for login, retrieving that user's preferences is a simple step from there.
The real story here is that we need more details. Are you storing authentication information in a database, or something else? How are your user sessions stored (i.e., when a user logs in, how does your web app tell that his browser is logged in on subsequent requests)? Your question seems to state this, but to clarify, are these PHP pages containing some amount of Javascript?
Depends on your requirements. You will need to choose either to store user preferences in your database, provided your users authenticate, this is probably preferred solution. But if it meets your requirements you can save user preferences in a cookie.
Here is are javascript functions and jquery plugin with examples on how to work with cookies.
I need to make a simple knowledge-base type application to use in company internal network. To make it simple and fast to use for end-users I would like to skip all the login in part (as it will be only visible to internal network users who we trust anyway) and automaticly pull the domain user name from the user and put it into the database (don't want people to waste time manually entering their name; the littler time they waste using the app, the higher chance they will actually use it).
So, is it possible to get that kind of information on a server? Do windows browsers send it in some headers that I could trust to be there?
If you are using IIS and Internet Explorer, you could turn on 'Integrated Windows Authentication' (NTLM authentication). This causes IE to automatically authenticate the user using your domain infrastructure. After automatic login, you can access the user name using the environment variable LOGON_USER. There is also a module for Apache (mod_ntlm) for this purpose, although I don't know its status.
Maybe you could event try to implement NTLM authentication yourself, but this will certainly be a lot of work.
Other than that, there seems to be no way since no reasonable browser will send the user name...
EDIT: It seems that python-win32 extensions or python-ntlm could do the trick, check out this thread. You still have to integrate it into Django, though.