Board index » cppbuilder » Handle login and logout

Handle login and logout


2003-12-15 05:14:40 PM
cppbuilder86
Greetings,
I have developed a program using C++ Builder ver 6 (say FTPAccess.exe) to
download files from a password protected FTP site thro Internet.
(FTP username and password are hard coded in my program since my hosted site
does not have enough FTP account to give to each user)
Meantime, only my allowed users could download files from my FTP site. I
need to develop certain processes to handle these. My method is: -
1) Create a file (say password.txt) to store the list of all MD5 encrypted
username and password (username and password are given by me and my users
are not allow to change it)
2) Upload encrypted "password.txt" to my FTP site
3) Users start my own developed program - "FTPAccess.exe"
4) "FTPAccess.exe" ask User A for username (U) and password (P) to login
5) "FTPAccess.exe" get encrypted "password.txt" from my FTP site
6) "FTPAccess.exe" compare the MD5 encrypted (U) and (P) with the encrypted
data stored in "password.txt"
7) If NOT match, "FTPAccess.exe" will be terminated and exit
8) If matched, "FTPAccess.exe" will login and download files from my FTP
site
By using the method above, or any other better methods (please suggest), how
does my program handle: -
a) If User A already login, other users could not use User A's username and
password to login, unless User A has logout.
b) If User A already login, and then User A's Internet connection dropped
or his PC suddenly shut downed, User A still could use his username and
password to reconnect.
Thanks in advance.
 
 

Re:Handle login and logout

"ascll" < XXXX@XXXXX.COM >wrote in message
Quote
5) "FTPAccess.exe" get encrypted "password.txt" from my FTP
site
FTPAccess should not be allowed or able to download any file, or issue any
other non-login-related commands, until its login has been validated by the
server first. That would be security breach otherwise.
Quote
6) "FTPAccess.exe" compare the MD5 encrypted (U) and (P)
with the encrypted data stored in "password.txt"
You should not do it that way. The server, not the client, should be the
one verifying the passwords. Simply have FTPAccess send the username and
password to the server, and let the server handle the hashing and comparing
to the password file locally. FTPAccess should have *no* knowledge of the
password file at all, and in fact I would suggest you not allow any FTP
clients direct access to the file at all. If the encryption credentials do
not match what the server is expecting, then the server can simply kick out
FTPAccess (or ay other client) with an error that can be handled on the
client end appropriately.
I assume that you are making the server yourself as well?
Quote
a) If User A already login, other users could not use User A's
username and password to login, unless User A has logout.
That is simply a matter of having the server keep track of the users who are
logged in, and if a username is already logged in then simply fail the login
if any client tries to login with the same username. That is the
responsibility of the server, not the client, to manage.
Quote
b) If User A already login, and then User A's Internet connection
dropped or his PC suddenly shut downed, User A still could use his
username and password to reconnect.
Only if nobody else has already logged in with that username while he was
disconnected. In order to reconnect, he has to established a brand new
connection to the server as if it were the first time. He would have to
login again, be verified, etc. The server has to treat connections on a
per-connection basis, there is no persisting information from one connection
to another.
Gambit