What's new

Best way to add user login to c# winforms project?

  • Thread starter Deleted member 847964
  • Start date
  • Views 1,360
Status
Not open for further replies.
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
Hello, I'm looking to see if someone could point me in the right direction on how to make a user login for a winforms application in c#. I have been reading around all day and the best way I can come up with is MySQL. My question is what's the best way to implement it in a somewhat secure manner? If anyone could point me towards the right direction I'd appreciate it. I'm having trouble figuring out what string would make it work.
 
snafu

snafu

Retired
Retired
Hidden Devils
A Milli Programmer Hardened Veteran
Messages
2,334
Reaction score
1,399
Points
1,182
Sin$
7
Write a php script to check if the username and hash of their password (and other various information you want) is in a DB in a sql database then have it return whatever you want to verify if they're there or not.
 
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
Write a php script to check if the username and hash of their password (and other various information you want) is in a DB in a sql database then have it return whatever you want to verify if they're there or not.
Thanks for the response. I have my database set up with MySQL but I've never done anything server sided and don't know much about SQL and php. I can't seem to get it to return the correct response, I can only get it working if I input the usernames and passwords and not able to get it to compare what they type in the text box to what's in the database so they fail to connect. I have been reading about OAuth with OWIN and trying to figure out if that would be an alternative. I'm trying to avoid having to fetch the info from pastebin if I'm able to.
 
snafu

snafu

Retired
Retired
Hidden Devils
A Milli Programmer Hardened Veteran
Messages
2,334
Reaction score
1,399
Points
1,182
Sin$
7
Thanks for the response. I have my database set up with MySQL but I've never done anything server sided and don't know much about SQL and php. I can't seem to get it to return the correct response, I can only get it working if I input the usernames and passwords and not able to get it to compare what they type in the text box to what's in the database so they fail to connect. I have been reading about OAuth with OWIN and trying to figure out if that would be an alternative. I'm trying to avoid having to fetch the info from pastebin if I'm able to.
Use a php script so you can request data from 127.0.0.1/?uname=shinda&pwhash=FFFFFFFFFFFFFFFF
that way you dont need to have any sensitive information in the executable.
It's not difficult to learn.
 
Z

Zerker24

Enthusiast
Messages
945
Reaction score
206
Points
170
Sin$
0
Depends on how secure you want it. Personally, I would create login tokens and store them into the DB. That way all you need to send is the token to authenticate. You could even go as far as to ip lock the token so you can't use it from another ip address.
 
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
Honestly it doesn't need to be super secure, just mainly looking for a way to distribute a program halfway exclusive. I have decided to go with SQL server and just something username, hwid, and if I can implement a token or some form of key system that would be fine with me. Do you have any recommendations on methods for generating individual tokens? Any advice is appreciated, I still have a lot to learn.
 
Z

Zerker24

Enthusiast
Messages
945
Reaction score
206
Points
170
Sin$
0
Honestly it doesn't need to be super secure, just mainly looking for a way to distribute a program halfway exclusive. I have decided to go with SQL server and just something username, hwid, and if I can implement a token or some form of key system that would be fine with me. Do you have any recommendations on methods for generating individual tokens? Any advice is appreciated, I still have a lot to learn.
Just a random string generated.

If it's a product key system, you could get away with having a database of product keys qnd just write a PHP script to to see if the key provided is in the database. You could also limit the number of uses of each key by adding a counter if you wanted too. I can see what I can come up with when I get off work tomorrow to help out.

If you want the user login, that can be done too.

Create a users database
  • id
  • display
  • login
  • hash
  • salt
You could also add in an email field if you so choose.

The ID sould auto increment, that's an option in SQL.

display is the users display name or "Username"

login is an all lowercase version of display. This will make it easier to check on login later. So you can use tolower and the caps doesn't matter.

hash is the passord in hash format. MD5 is common.

salt is a randomized set of characters that is added to the password to make it more secure.

And example of how IPB used to generate a password hash.

md5(md5(password) . md5(salt));

You should NEVER store a non-hash version on a users password.

You would generate a version of that hash in c# and send that along with the lowercase version of the username for the login to be chacked on the server.
 
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
Just a random string generated.

If it's a product key system, you could get away with having a database of product keys qnd just write a PHP script to to see if the key provided is in the database. You could also limit the number of uses of each key by adding a counter if you wanted too. I can see what I can come up with when I get off work tomorrow to help out.

If you want the user login, that can be done too.

Create a users database
  • id
  • display
  • login
  • hash
  • salt
You could also add in an email field if you so choose.

The ID sould auto increment, that's an option in SQL.

display is the users display name or "Username"

login is an all lowercase version of display. This will make it easier to check on login later. So you can use tolower and the caps doesn't matter.

hash is the passord in hash format. MD5 is common.

salt is a randomized set of characters that is added to the password to make it more secure.

And example of how IPB used to generate a password hash.

md5(md5(password) . md5(salt));

You should NEVER store a non-hash version on a users password.

You would generate a version of that hash in c# and send that along with the lowercase version of the username for the login to be chacked on the server.
Thanks for this. I have fixed the original issue with my database so I will play around with this tonight. I have little knowledge of SQL and php scripting but I have some documentation on it and will be able to figure it out. I didn't realize until yesterday just how many tools and extensions visual studio has for stuff like that.
 
snafu

snafu

Retired
Retired
Hidden Devils
A Milli Programmer Hardened Veteran
Messages
2,334
Reaction score
1,399
Points
1,182
Sin$
7
Thanks for this. I have fixed the original issue with my database so I will play around with this tonight. I have little knowledge of SQL and php scripting but I have some documentation on it and will be able to figure it out. I didn't realize until yesterday just how many tools and extensions visual studio has for stuff like that.
sidenote: don't use md5 for securing your passwords, use sha256 or 512 or bcrypt
 
Z

Zerker24

Enthusiast
Messages
945
Reaction score
206
Points
170
Sin$
0
sidenote: don't use md5 for securing your passwords, use sha256 or 512 or bcrypt
I haven't written a password encryption in a while. I guess I am outdated lol. Thanks for the info.
 
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
Thanks for your help guys, I got it working finally. As for the password hashing can I use something like Microsoft's cryptography class or is that not the correct way?
 
snafu

snafu

Retired
Retired
Hidden Devils
A Milli Programmer Hardened Veteran
Messages
2,334
Reaction score
1,399
Points
1,182
Sin$
7
Thanks for your help guys, I got it working finally. As for the password hashing can I use something like Microsoft's cryptography class or is that not the correct way?
yeah or bouncycastle.
 
D

Deleted member 847964

No sympathy for the Devil; keep that in mind
Seasoned Veteran Grizzled Veteran
Messages
1,172
Solutions
6
Reaction score
275
Points
220
Sin$
0
I've been doing some testing and everything seems to be working smooth except one problem, if the user closes out the login form it bypasses the login and loads the form anyway. I've set everything up to where if the user info doesn't match the database everything closes out but I'm wondering how I could make it to where the login needs to return a correct response to avoid the login page being bypassed so easily. My login is form1 and the main form is form2. Is there something I can do in program.cs to prevent it from loading or keep it hidden?

*Just to clarify it does have to return correct values from the database for it to load under any other scenario, just not if someone closes the app whether it be from the icon tray or clicking on the "x" in the top right corner.

*Edit: resolved. Thanks snafu snafu and Z Zerker24
 
Last edited:
Status
Not open for further replies.
Top Bottom
Login
Register