Best Practices for Writing Login Code?

Hey All,

So I’m writing my first web application with xojo, It’s more of an LVP/Proof-of-Concept and if the idea takes off then I will definitely come back and re-write the app to use a more robust Database. Since this is my first time implementing Login functionality I was wondering if the community could give me feedback / practices on accomplishing something like this. So far my process looks like:

  1. User fills out the signup form
  2. The form is Validated
  3. Validated fields are then substituted into a SQL query that is then executed and committed
  4. The values are inserted into a table called UserTable that contains all the information I would need to collect (name, zipcode,password, weight, everything)

Is there anything I can change to more effectively implement login functionality for my application NOW so that I’m not doing crazy re-writes Later?

Thank you all!

You should never store a password, nor transmit a password unencrypted. The password should be hashed using an algorithm like PBKDF2, Bcrypt, or Scrypt, and the result of that hash stored instead. When a user attempts to authenticate, you would hash the password they entered and compare it to what you have stored.

(This is the short version of that strategy. For better security, you’d implement something like Security Through Obesity, but that’s a more advanced discussion.)

geee… Why not? Facebook does… :slight_smile:

THAT was SARCASM… do what Kem said.

FYI… Any site that says that can recover your password should you forget it… is NOT secure… once you create a Password… the only place that exact sequence of characters should exist is in you head…

or if you have a secure password manager that you use so you dont forget the 297 passwords you have (I just checked 1password). And passwords should never be repeated (used on more than one site).

1 Like

297? Amateur :stuck_out_tongue:

You could take a look at The ZAZ: Authentication Kit to get started. There’s still a handful of work for you to do, but my module does most of the heavy lifting. Or you could read more about the topic of password storage at The ZAZ: Storing passwords securely with Xojo

Here’s a short blog post to give you an overview:

Good info above, my 2p to add. Always use prepared statements when accessing your database and treat ALL data as potentially being compromised, sanitise everything server side, never rely on the client for correcting issues as the unscrupulous will just work around it.