HandleURL Login Session

Targets Web
1

This is my first attempt trying to use HandleURL so i’m a little confused on how to complete this process. I am trying to process a login form sent from a webpage to the webapp. GET shows the parameters in the URL so i do not want to use this for a login method, So i am trying to use POST. I’ve tried reading the forums on how to accomplish this but i’m still a little confused.

When i parse the key/pair from entity can i create a new session and push the user there? How can i do this?

2

My apologies if you know this already: POST is not inherently secure. Though the end user may not see the login parameters in the address bar, anyone who can see the data transmitted over the Internet can extract all the information from the POST. You need to force a SSL connection to insure that the login credentials are transmitted securely.

You can access the raw content of the POST itself via WebRequest.Entity. A POST can be in any format. But you are most likely dealing with application/x-www-form-urlencoded. Which means the POST is formatted just like GET parameters appended to a URL. If that’s the case then the code below should get you started. It’s one of the functions from my Web Custom Controls toolkit. Parsing a URL encoded POST is not a trade secret, so feel free to use it as a starting point for your code.

For the redirect you’ll want to use the WebRequest Status property and Header method to instruct the client browser to redirect (probably HTTP 302). The trick is to have the browser redirect to a normal Xojo web app page (not HandleURL) in such a way that the web app knows the user is authenticated.

Here’s one approach:

  • If the credentials are good, create and store a GUID somewhere that indicates this user is authenticated. You’re going to want more than just a Dictionary of strings. You’ll probably want a class that records the login, IP address, assigned GUID, time of a login (so you can ‘time out’ and clean the list), etc.
  • Give the browser a redirect URL that includes the GUID as a GET parameter.
  • When the browser connects to the normal Xojo web app page you can check for that GET parameter, then check the GUID against your internal list of authenticated users. From their you can take appropriate action.
  • GET parameters are encrypted over SSL. Never the less, when I’ve had to do something like this (i.e. authenticate a Xojo session from an outside page) I’ve taken additional common sense steps such as checking the IP along with the GUID, ‘expiring’ the GUID immediately upon the first successful session, and blocking any IP addresses which repeatedly try to connect with an invalid GUID.

Here’s the get parameter function. Notes:

  • This is an Extends function from a Module so that I can call it any where I have a WebRequest.
  • The caller is responsible for any further processing of the parameter. The caller will often need to call DecodeURLComponent on the return string.
  • I check for older versions of Real Studio. The framework used to assume a URL encoded POST and parse it for you, but that functionality was removed.
  • This is a “catch all” function so I also check for GET and let the framework handle it.

Hope this helps!

Public Function GetParameterTD(Extends objRequest As WebRequest, strName As String) as String
  'Check version.
  Dim nmVersion As Double = RBVersion
  If nmVersion < 2014.0209 Then
    Return objRequest.GetParameter(strName)
  End If
  
  'Is this a GET request?
  If objRequest.Method = "GET" Then
    Return objRequest.GetParameter(strName)
  End If
  
  'Get post data.
  Dim strData As String = objRequest.Entity
  
  'Find parameter.
  Dim nmStart, nmFinish As Integer
  
  strName = strName + "="
  nmStart = strData.InStr(strName)
  If nmStart < 1 Then Return ""
  nmStart = nmStart + strName.Len
  
  nmFinish = strData.InStr(nmStart, "&")
  
  If nmFinish < 1 Then
    Return strData.Mid(nmStart)
  Else
    Return strData.Mid(nmStart, nmFinish - nmStart)
  End If
  
End Function