Best way to add user login to c# winforms project?

Discussion in 'Programming & Scripting' started by CeratedSuperior, Mar 10, 2019 with 12 replies and 543 views.

Thread Status:
Not open for further replies.
  1. CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    Hello, I'm looking to see if someone could point me in the right direction on how to make a user login for a winforms application in c#. I have been reading around all day and the best way I can come up with is MySQL. My question is what's the best way to implement it in a somewhat secure manner? If anyone could point me towards the right direction I'd appreciate it. I'm having trouble figuring out what string would make it work.
     
  2. shinda

    shinda Retired Retired

    Messages:
    2,219
    Ratings:
    1,213
    Write a php script to check if the username and hash of their password (and other various information you want) is in a DB in a sql database then have it return whatever you want to verify if they're there or not.
     
    • Informative Informative x 1
  3. OP
    CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    Thanks for the response. I have my database set up with MySQL but I've never done anything server sided and don't know much about SQL and php. I can't seem to get it to return the correct response, I can only get it working if I input the usernames and passwords and not able to get it to compare what they type in the text box to what's in the database so they fail to connect. I have been reading about OAuth with OWIN and trying to figure out if that would be an alternative. I'm trying to avoid having to fetch the info from pastebin if I'm able to.
     
  4. shinda

    shinda Retired Retired

    Messages:
    2,219
    Ratings:
    1,213
    Use a php script so you can request data from 127.0.0.1/?uname=shinda&pwhash=FFFFFFFFFFFFFFFF
    that way you dont need to have any sensitive information in the executable.
    It's not difficult to learn.
     
    • Like Like x 1
  5. Zerker24

    Zerker24 Enthusiast

    Messages:
    865
    Ratings:
    196
    Depends on how secure you want it. Personally, I would create login tokens and store them into the DB. That way all you need to send is the token to authenticate. You could even go as far as to ip lock the token so you can't use it from another ip address.
     
  6. OP
    CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    Honestly it doesn't need to be super secure, just mainly looking for a way to distribute a program halfway exclusive. I have decided to go with SQL server and just something username, hwid, and if I can implement a token or some form of key system that would be fine with me. Do you have any recommendations on methods for generating individual tokens? Any advice is appreciated, I still have a lot to learn.
     
  7. Zerker24

    Zerker24 Enthusiast

    Messages:
    865
    Ratings:
    196
    Just a random string generated.

    If it's a product key system, you could get away with having a database of product keys qnd just write a PHP script to to see if the key provided is in the database. You could also limit the number of uses of each key by adding a counter if you wanted too. I can see what I can come up with when I get off work tomorrow to help out.

    If you want the user login, that can be done too.

    Create a users database
    • id
    • display
    • login
    • hash
    • salt
    You could also add in an email field if you so choose.

    The ID sould auto increment, that's an option in SQL.

    display is the users display name or "Username"

    login is an all lowercase version of display. This will make it easier to check on login later. So you can use tolower and the caps doesn't matter.

    hash is the passord in hash format. MD5 is common.

    salt is a randomized set of characters that is added to the password to make it more secure.

    And example of how IPB used to generate a password hash.

    md5(md5(password) . md5(salt));

    You should NEVER store a non-hash version on a users password.

    You would generate a version of that hash in c# and send that along with the lowercase version of the username for the login to be chacked on the server.
     
    • Informative Informative x 1
  8. OP
    CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    Thanks for this. I have fixed the original issue with my database so I will play around with this tonight. I have little knowledge of SQL and php scripting but I have some documentation on it and will be able to figure it out. I didn't realize until yesterday just how many tools and extensions visual studio has for stuff like that.
     
  9. shinda

    shinda Retired Retired

    Messages:
    2,219
    Ratings:
    1,213
    sidenote: don't use md5 for securing your passwords, use sha256 or 512 or bcrypt
     
    • Informative Informative x 1
  10. Zerker24

    Zerker24 Enthusiast

    Messages:
    865
    Ratings:
    196
    I haven't written a password encryption in a while. I guess I am outdated lol. Thanks for the info.
     
  11. OP
    CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    Thanks for your help guys, I got it working finally. As for the password hashing can I use something like Microsoft's cryptography class or is that not the correct way?
     
  12. shinda

    shinda Retired Retired

    Messages:
    2,219
    Ratings:
    1,213
    yeah or bouncycastle.
     
    • Like Like x 1
  13. OP
    CeratedSuperior

    CeratedSuperior No sympathy for the Devil; keep that in mind

    Messages:
    714
    Ratings:
    197
    I've been doing some testing and everything seems to be working smooth except one problem, if the user closes out the login form it bypasses the login and loads the form anyway. I've set everything up to where if the user info doesn't match the database everything closes out but I'm wondering how I could make it to where the login needs to return a correct response to avoid the login page being bypassed so easily. My login is form1 and the main form is form2. Is there something I can do in program.cs to prevent it from loading or keep it hidden?

    *Just to clarify it does have to return correct values from the database for it to load under any other scenario, just not if someone closes the app whether it be from the icon tray or clicking on the "x" in the top right corner.

    *Edit: resolved. Thanks shinda and Zerker24
     
    Last edited: Mar 14, 2019

Share This Page

Thread Status:
Not open for further replies.