Thread: [Cppcms-users] Validating user's login using session ID
Brought to you by:
artyom-beilis
Menu
▾
▴
cppcms-users
|
From: <cn...@gr...> - 2010-09-12 11:36:11
|
Hello! Gurus,
I want some services to be only available to logged in users. My design goes like this way:
1. The user fills out the login form and sends account and password to server through https protocol.
2. The server validates the incoming account and password. If the account and password are valid, the server sets that session ID as the cookie value to that client using this assignment (and cppcms will do the rest for me?):
cppcms::application::session()["logged_in_sid"]=<the_current_session_id>;
3. When requested for the special services, server will first check if the client already logged in before offering them:
if(session().is_set("logged_in_sid")){
//Offer the special services here.
}
I assume that the session ID's generated by cppcms do not overlap for fairly long time. I most likely will configure cppcms server to session.expire="browser". Also, I feel setting session ID as the only cookie data in browsers is pretty efficient because its size is very small.
Here are the questions I need your enlightenment:
1. Is such design correct, efficient, and not too vulnerable? Do I miss any thing?
2. I don't see a member function that returns the current session ID in class "session_interface". Where can I have it instead?
Best Regards,
CN
|
|
From: <cn...@gr...> - 2010-09-12 14:54:23
|
Hi!
I add file widget in form:
cppcms::widgets::file picture;
And enforce check on file name extension:
picture.filename(booster::regex::regex(".*\\.(jpg|jpeg|png)"));
The compiler/linker complains:
------------------
g++ -Wall app.cpp view.cpp -o app -lcppcms -lbooster
/tmp/ccFMAK7N.o: In function `content::info_form::info_form()':
hello.cpp:(.text._ZN7content11info_formC1Ev[content::info_form::info_form()]+0x140): undefined reference to `cppcms::widgets::file::filename(booster::regex const&)'
collect2: ld returned 1 exit status
make: *** [app] Error 1
------------------
cmake output for cppcms follows:
------------------
-- The C compiler identification is GNU
-- The CXX compiler identification is GNU
-- Check for working C compiler: /usr/bin/gcc
-- Check for working C compiler: /usr/bin/gcc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Performing Test GCC_IS_GCC4
-- Performing Test GCC_IS_GCC4 - Success
-- Looking for socket
-- Looking for socket - found
-- Looking for gethostbyname
-- Looking for gethostbyname - found
-- Performing Test BOOSTER_HAS_GCC_SYNC
-- Performing Test BOOSTER_HAS_GCC_SYNC - Success
-- Performing Test BOOSTER_HAVE_GCC_BITS_EXCHANGE_AND_ADD
-- Performing Test BOOSTER_HAVE_GCC_BITS_EXCHANGE_AND_ADD - Failed
-- Performing Test BOOSTER_HAVE_GCC_EXT_EXCHANGE_AND_ADD
-- Performing Test BOOSTER_HAVE_GCC_EXT_EXCHANGE_AND_ADD - Success
-- Performing Test BOOSTER_HAVE_FREEBSD_ATOMIC
-- Performing Test BOOSTER_HAVE_FREEBSD_ATOMIC - Failed
-- Performing Test BOOSTER_HAVE_SOLARIS_ATOMIC
-- Performing Test BOOSTER_HAVE_SOLARIS_ATOMIC - Failed
-- Performing Test BOOSTER_HAVE_MAC_OS_X_ATOMIC
-- Performing Test BOOSTER_HAVE_MAC_OS_X_ATOMIC - Failed
-- Performing Test BOOSTER_HAVE_STDINT_H
-- Performing Test BOOSTER_HAVE_STDINT_H - Success
-- Performing Test BOOSTER_HAVE_INTTYPES_H
-- Performing Test BOOSTER_HAVE_INTTYPES_H - Success
-- Performing Test BOOSTER_AIO_HAVE_PF_INET6
-- Performing Test BOOSTER_AIO_HAVE_PF_INET6 - Success
-- Performing Test CPPCMS_HAVE_STDINT_H
-- Performing Test CPPCMS_HAVE_STDINT_H - Success
-- Performing Test CPPCMS_HAVE_INTTYPES_H
-- Performing Test CPPCMS_HAVE_INTTYPES_H - Success
-- Looking for atoll
-- Looking for atoll - found
-- Looking for _atoi64
-- Looking for _atoi64 - not found
-- Looking for snprintf
-- Looking for snprintf - found
-- Looking for stat
-- Looking for stat - found
-- Looking for _stat
-- Looking for _stat - not found
-- Performing Test LIBC_ICONV
-- Performing Test LIBC_ICONV - Success
-- Performing Test CPPCMS_HAVE_STD_WSTRING
-- Performing Test CPPCMS_HAVE_STD_WSTRING - Success
-- Performing Test CPPCMS_HAVE_BSD_TM
-- Performing Test CPPCMS_HAVE_BSD_TM - Success
-- Performing Test CPPCMS_HAVE_CPP0X_UXSTRING
-- Performing Test CPPCMS_HAVE_CPP0X_UXSTRING - Failed
-- Performing Test CPPCMS_HAVE_CPP_0X_AUTO
-- Performing Test CPPCMS_HAVE_CPP_0X_AUTO - Failed
-- Performing Test CPPCMS_HAVE_CPP_0X_DECLTYPE
-- Performing Test CPPCMS_HAVE_CPP_0X_DECLTYPE - Failed
-- Performing Test CPPCMS_HAVE_GCC_TYPEOF
-- Performing Test CPPCMS_HAVE_GCC_TYPEOF - Success
-- Performing Test CPPCMS_HAVE_UNDERSCORE_TYPEOF
-- Performing Test CPPCMS_HAVE_UNDERSCORE_TYPEOF - Success
-- Looking for dlopen
-- Looking for dlopen - not found
-- Looking for dlopen in dl
-- Looking for dlopen in dl - found
-- Looking for socket
-- Looking for socket - found
-- Looking for gethostbyname
-- Looking for gethostbyname - found
-- Looking for canonicalize_file_name
-- Looking for canonicalize_file_name - found
-- Configuring done
-- Generating done
-- Build files have been written to: /usr/src/cppcms-0.99.2.1/build
------------------
Any clue will be much grateful!
Thank you in advance!
CN
|
|
From: Artyom <art...@ya...> - 2010-09-12 16:48:08
|
Thanks for the report,
Fixed in svn.
BTW, there are some better tests for checking file type: mime() type and
add_valid_magic() where the last is the best
one.
Artyom
>
>From: "cn...@gr..." <cn...@gr...>
>To: cpp...@li...
>Sent: Sun, September 12, 2010 4:53:50 PM
>Subject: [Cppcms-users] undefined reference to
>`cppcms::widgets::file::filename(booster::regex const&)'
>
>Hi!
>
>I add file widget in form:
>
>cppcms::widgets::file picture;
>
>And enforce check on file name extension:
>
>picture.filename(booster::regex::regex(".*\\.(jpg|jpeg|png)"));
>
>The compiler/linker complains:
>------------------
>g++ -Wall app.cpp view.cpp -o app -lcppcms -lbooster
>/tmp/ccFMAK7N.o: In function `content::info_form::info_form()':
>hello.cpp:(.text._ZN7content11info_formC1Ev[content::info_form::info_form()]+0x140):
> undefined reference to `cppcms::widgets::file::filename(booster::regex const&)'
>collect2: ld returned 1 exit status
>make: *** [app] Error 1
>------------------
>
>cmake output for cppcms follows:
>------------------
>-- The C compiler identification is GNU
>-- The CXX compiler identification is GNU
>-- Check for working C compiler: /usr/bin/gcc
>-- Check for working C compiler: /usr/bin/gcc -- works
>-- Detecting C compiler ABI info
>-- Detecting C compiler ABI info - done
>-- Check for working CXX compiler: /usr/bin/c++
>-- Check for working CXX compiler: /usr/bin/c++ -- works
>-- Detecting CXX compiler ABI info
>-- Detecting CXX compiler ABI info - done
>-- Performing Test GCC_IS_GCC4
>-- Performing Test GCC_IS_GCC4 - Success
>-- Looking for socket
>-- Looking for socket - found
>-- Looking for gethostbyname
>-- Looking for gethostbyname - found
>-- Performing Test BOOSTER_HAS_GCC_SYNC
>-- Performing Test BOOSTER_HAS_GCC_SYNC - Success
>-- Performing Test BOOSTER_HAVE_GCC_BITS_EXCHANGE_AND_ADD
>-- Performing Test BOOSTER_HAVE_GCC_BITS_EXCHANGE_AND_ADD - Failed
>-- Performing Test BOOSTER_HAVE_GCC_EXT_EXCHANGE_AND_ADD
>-- Performing Test BOOSTER_HAVE_GCC_EXT_EXCHANGE_AND_ADD - Success
>-- Performing Test BOOSTER_HAVE_FREEBSD_ATOMIC
>-- Performing Test BOOSTER_HAVE_FREEBSD_ATOMIC - Failed
>-- Performing Test BOOSTER_HAVE_SOLARIS_ATOMIC
>-- Performing Test BOOSTER_HAVE_SOLARIS_ATOMIC - Failed
>-- Performing Test BOOSTER_HAVE_MAC_OS_X_ATOMIC
>-- Performing Test BOOSTER_HAVE_MAC_OS_X_ATOMIC - Failed
>-- Performing Test BOOSTER_HAVE_STDINT_H
>-- Performing Test BOOSTER_HAVE_STDINT_H - Success
>-- Performing Test BOOSTER_HAVE_INTTYPES_H
>-- Performing Test BOOSTER_HAVE_INTTYPES_H - Success
>-- Performing Test BOOSTER_AIO_HAVE_PF_INET6
>-- Performing Test BOOSTER_AIO_HAVE_PF_INET6 - Success
>-- Performing Test CPPCMS_HAVE_STDINT_H
>-- Performing Test CPPCMS_HAVE_STDINT_H - Success
>-- Performing Test CPPCMS_HAVE_INTTYPES_H
>-- Performing Test CPPCMS_HAVE_INTTYPES_H - Success
>-- Looking for atoll
>-- Looking for atoll - found
>-- Looking for _atoi64
>-- Looking for _atoi64 - not found
>-- Looking for snprintf
>-- Looking for snprintf - found
>-- Looking for stat
>-- Looking for stat - found
>-- Looking for _stat
>-- Looking for _stat - not found
>-- Performing Test LIBC_ICONV
>-- Performing Test LIBC_ICONV - Success
>-- Performing Test CPPCMS_HAVE_STD_WSTRING
>-- Performing Test CPPCMS_HAVE_STD_WSTRING - Success
>-- Performing Test CPPCMS_HAVE_BSD_TM
>-- Performing Test CPPCMS_HAVE_BSD_TM - Success
>-- Performing Test CPPCMS_HAVE_CPP0X_UXSTRING
>-- Performing Test CPPCMS_HAVE_CPP0X_UXSTRING - Failed
>-- Performing Test CPPCMS_HAVE_CPP_0X_AUTO
>-- Performing Test CPPCMS_HAVE_CPP_0X_AUTO - Failed
>-- Performing Test CPPCMS_HAVE_CPP_0X_DECLTYPE
>-- Performing Test CPPCMS_HAVE_CPP_0X_DECLTYPE - Failed
>-- Performing Test CPPCMS_HAVE_GCC_TYPEOF
>-- Performing Test CPPCMS_HAVE_GCC_TYPEOF - Success
>-- Performing Test CPPCMS_HAVE_UNDERSCORE_TYPEOF
>-- Performing Test CPPCMS_HAVE_UNDERSCORE_TYPEOF - Success
>-- Looking for dlopen
>-- Looking for dlopen - not found
>-- Looking for dlopen in dl
>-- Looking for dlopen in dl - found
>-- Looking for socket
>-- Looking for socket - found
>-- Looking for gethostbyname
>-- Looking for gethostbyname - found
>-- Looking for canonicalize_file_name
>-- Looking for canonicalize_file_name - found
>-- Configuring done
>-- Generating done
>-- Build files have been written to: /usr/src/cppcms-0.99.2.1/build
>------------------
>
>
>
>
>
>Any clue will be much grateful!
>
>Thank you in advance!
>
>CN
>
|
|
From: <cn...@gr...> - 2010-09-13 09:48:17
|
Hi! Artyom, > BTW, there are some better tests for checking file type: mime() type and add_valid_magic() where the last is the best one. Thank you for the enlightenment! According to http://www.garykessler.net/library/file_sigs.html , the jpeg magic number is "FF D8 FF E0 xx xx 4A 46 49 46 00" and the png one is "89 50 4E 47 0D 0A 1A 0A". Member function void cppcms::widgets::file::add_valid_magic(std::string const &) expects std::string as the argument. If I accept both jpeg and png files, what std::string should I pass to add_valid_magic? This raises another question: It is server's responsibility rather than browsers to perform the validation triggered by add_valid_magic, isn't it? If it is, will cppcms automatically do the validation? If it is programmer's job, a snippet of validation example code will be much appreciated. Thank you in advance! Regards, CN |
|
From: Artyom <art...@ya...> - 2010-09-13 10:01:31
|
> BTW, there are some better tests for checking file type: mime() type and >add_valid_magic() where the last is the best >one. > > > >Thank you for the enlightenment! According to > > >http://www.garykessler.net/library/file_sigs.html > > >, the jpeg magic number is "FF D8 FF E0 xx xx 4A 46 49 46 00" and the png one is > >"89 50 4E 47 0D 0A 1A 0A". > > > >Member function > > >void cppcms::widgets::file::add_valid_magic(std::string const &) > > >expects std::string as the argument. If I accept both jpeg and png files, what >std::string should I pass to add_valid_magic? You should call add_valid_magic twice and for one provide a valid magic: For jpeg, is is enough to give "\xFF\xD8\xFF" (see more detailed description in the link you had given) and for PNG "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A" > > >This raises another question: It is server's responsibility rather than browsers > >to perform the validation triggered by add_valid_magic, isn't it? Of course it is the server side check, quite simple - test of file begins with this string - that's it. > If it is, will > cppcms automatically do the validation? Yes, when you call your_form.validate() (as you usually do for forms) you'll get the validation result. Each widget has its own set of parameters to validate. > If it is programmer's job, a snippet of > validation example code will be much appreciated. > See forms example (you had probably seen it) and refer to each widget reference to see validation options: http://cppcms.sourceforge.net/cppcms_ref_v0_99/namespacecppcms_1_1widgets.html Artyom |
|
From: Artyom <art...@ya...> - 2010-09-12 16:55:14
|
>
>1. The user fills out the login form and sends account and password to server
>through https protocol.
>2. The server validates the incoming account and password. If the account and
>password are valid, the server sets that session ID as the cookie value to that
>client using this assignment (and cppcms will do the rest for me?):
CppCMS handles the session cookies for you, all you need is to set some
values in session, For example:
cppcms::application::session()["logged_in_user_name"] = valid_user_name
User can't alter the content of the sessions so its OK.
Small note:
If user is banned or for example unregistered its session still may be
valid and he can do some operations, so the better way to also to check that
for example if this user name exits. See as example see
http://cppcms.svn.sourceforge.net/viewvc/cppcms/wikipp/branches/for_cppcms_v100/users.cpp?revision=1200&view=markup
If you don't care about such stuff, just mark it and that's it.
>
>I assume that the session ID's generated by cppcms do not overlap for fairly
>long time. I most likely will configure cppcms server to
>session.expire="browser". Also, I feel setting session ID as the only cookie
>data in browsers is pretty efficient because its size is very small.
Actually there are several options for session storage, the most efficient
is actually to use encrypted cookies and not session ids.
>2. I don't see a member function that returns the current session ID in class
>"session_interface". Where can I have it instead?
Because it is not always session id, sometimes all session data remains on
client side.
(Of course it is signed or encrypted so user can't alter it too much)
Artyom
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X