Login to a web site by the program

Asked

Viewed 479 times

3

I have a site programmed in PHP with login and I’m making a desktop application (Windows) and I’m trying to log in to it from these system on the web.

My system in PHP works as follows: it creates a session in PHP and stores the session-relevant data in a cookie. The authorization system has 4 returns: 1, when there is success when logging in, -1 when the password is incorrect, -2 when the user is incorrect and finally, -3 when the user misses the password more than 5 times in less than 1 hour (anti Brute Force).

I got a code searching on the web (I’ll be owing references, I found it for a while) and it is functional: if I try to log in to my site with my credentials, the return is 1, if there is any error, the returns are correct too.

The big problem is getting "hold" on this session. When we close the browser for example, I will be logged in when I open because the Cookie will be "holding" the session. To do this test, I created a page logged.php, and basically the return is 'Logged in' for when you are logged in and otherwise.

In the browser, it works normally, already in my program I am always logged!

Just follow my method login(), responsible for all the work:

private void login()
{
    string formUrl = "http://exemplo.com.br/auth.php";
    string formParams = string.Format("username={0}&password={1}", username.Text, password.Text);
    string cookieHeader;
    WebRequest req = WebRequest.Create(formUrl);
    req.ContentType = "application/x-www-form-urlencoded";
    req.Method = "POST";
    byte[] bytes = Encoding.ASCII.GetBytes(formParams);
    req.ContentLength = bytes.Length;
    using (Stream os = req.GetRequestStream())
    {
    os.Write(bytes, 0, bytes.Length);
    }
    WebResponse resp = req.GetResponse();
    cookieHeader = resp.Headers["Set-cookie"];
    MessageBox.Show(cookieHeader);
    string pageSource;
    string getUrl = "http://exemplo.com.br/logged.php";
    WebRequest getRequest = WebRequest.Create(getUrl);
    getRequest.Headers.Add("Cookie", cookieHeader);
    WebResponse getResponse = getRequest.GetResponse();
    using (StreamReader sr = new StreamReader(getResponse.GetResponseStream()))
    {
    pageSource = sr.ReadToEnd();
    MessageBox.Show(pageSource);
    }
}

I have some other sub-questions like: Is doing this safe? What would be the best way to make the returns and add data? Would it be using a POST/GET for a page with a SELECT in Mysql? But we leave it for later!

php c# mysql

  • I think it would make it a lot easier for you to have a separate API for desktop software instead of the traditional login.

2 answers

5


Use the Cookiecontainer():

string formUrl = "http://exemplo.com.br/auth.php";
string formParams = string.Format("username={0}&password={1}", username.Text, password.Text);
string cookieHeader;

var cookies = new CookieContainer(); // coloque essa linha

var request = WebRequest.Create(formUrl) as HttpWebRequest; // linha modificada
//algumas modificaçoes abaixo
request.CookieContainer = cookies;
request.ContentType = "application/x-www-form-urlencoded";
request.Method = "POST";

byte[] bytes = Encoding.ASCII.GetBytes(formParams);
request.ContentLength = bytes.Length;
using (Stream os = request.GetRequestStream())
{
    os.Write(bytes, 0, bytes.Length);
}

// removi uns codigos aqui, nao precisa ler a resposta do servidor manualmente.
request.GetResponse(); 

string getUrl = "http://exemplo.com.br/logged.php";
var getRequest = WebRequest.Create(getUrl) as HttpWebRequest;
getRequest.CookieContainer = cookies;
getRequest.Method = "GET";
WebResponse getResponse = getRequest.GetResponse();
try
{
    using (StreamReader sr = new StreamReader(getResponse.GetResponseStream()))
    {
        //ESCREVE A SAIDA:
        MessageBox.Show(sr.ReadToEnd());
    }
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
    throw;
}

Reference: Link

On the question of security, please see the @chambelix answer that is very well explained.

  • You said that I don’t need to read the server response manually.. How do I check if the password has been entered erroneously, for example?

  • 1

    @Gabrieltadramainginski, I think he meant that you don’t need to read the answer if the goal is just to test the return of the request to page logged.php. Of course, to know if the password was entered wrong you will need to process the return of the request to page auth.php yes.

  • 1

    As @Wakim said, I just put that I didn’t need to process the return because I didn’t need to pick up the cookie since Cookiecontainer will do it automatically. But in case Voce needs to take the return of the request.Getresponse(); and process the same as I did in the last lines of the code can be the will.

  • I understand! Thank you very much, I can walk with my own legs from here!

2

I find myself developing a project where the essence is almost the same... A desktop software that accesses a php and mysql system that holds user identities.

When reading your question and observing some concern about security issues and about defenses of possible attacks, I wanted to inform you that a system that records content in cookies security is clearly not a point... That is to say never trust the data coming from the customer being an easily manipulated cookie.

Then many other levels have to be taken into account as concurrent accesses, user authenticity, etc...

A cookie must how much to stop Session_id and on the server side handle the session securely, but this is another war.

  • I agree, but I imagine the biggest problem is the hijacking of sessions, especially with man-in-the-Middle and trojans. My question is about who should guarantee security: PHP or C# or both and how!

  • Yes Hijacking Session is also a real problem... But with SSL is a good management of sessions is impractical... Although there are those who proclaim that manage to violate the "https". In the entanton it will always be game of cat and mouse. Who must ensure security is always the one who holds the identities.

  • And those who access the web service must ensure that the system is really secure. If both systems are developed by the same...then the security implementation relies heavily on the needs for both the service that holds the identities and the software that accesses that service.

  • Correct, but no longer know if it is necessary to invest in an SSL certificate. I don’t know how big the project is going to be (expectations are always huge), I will never know how far it will grow, so at the moment I find it trite. I saw that you have a certain knowledge safely, would it be possible to 'predict' or check if the information is being intercepted, either by the user or by my app?

  • Thank you for the reply... I could not include this data in my due to lack of knowledge in the area of security. I believe the question is now very well answered.

  • @Gabrieltadramainginski as said depends a lot on the needs of each project. If it is a personal situation of internal use security depends on you. If it is for a service that others will have to trust... then?

  • To the side of the Software!

Show 2 more comments

Browser other questions tagged php c# mysql

You are not signed in. Login or sign up in order to post.