To continue with this content, please log in with your Data Access ID or create a new account.
Cancel Data Access ID
You may not be authorized to see this content. Please contact Data Access Europe for more information.
Cancel Data Access Europe
You are not authorized to see this content.
Cancel Data Access Europe
Next lesson:
Key Derivation
Cancel

Security the Basics

Lesson 16: Authentication – Passcode Storage (Web App)

The first thing to do when storing a passcode is to make sure that a new passcode is immediately encoded when it is first entered. To help with this, a mixin has been created that can be used in the Data Dictionary. 

From the ‘Workspace Explorer’ panel on the left, with ‘WebApp.src’ selected as the current project, ‘Data Dictionaries’ is expanded, and ‘cWebAppUserDataDictionary.dd’ is selected.

The top section of the code shows the cSecurePasscodeStorageMethod object that is setup very similar to that of the example in Lesson 15 of this course. The object is then linked to the Data Dictionary using cSecurePasscodeStorageMethod_DD_Mixin. The Import_Class_Protocol is used for the class, the define method, Define_cSecurePasscodeStorageMethod_DD_Mixin, is called to initialize a few things, and then the Field_PasscodeStorageObject method is used. In this example, it’s done for the WebAppUser.Password field, and it is set to the object defined at the top of the code. 

The next step is to verify the passcode upon login. In a standard web application that is done in the Session Manager. With the same project selected in the ‘Workspace Explorer’ panel on the right, expand ‘Web Browser Objects,’ and select ‘SessionManager.wo.’ 

The Session Manager includes a standard method that is called for verifying passwords - ‘cWebSessionManagerStandard.’ 

To view its definition, locate it in the code, right click on in, and select ‘Go to definition.’ 

Then from the ‘Code Explorer’ panel on the left, expand ‘cWebSessionManagerStandard’ and select ‘ComparePasswords.’ 

This function compares the content of the user’s password field with the entered password. This is to be overwritten.

The security library has the VerifyPasscode method to do so, and it is located in the ghoSecurity object. It needs the uChar array of the passcode by reference, and the storage string retrieved from the database. In this example it is the sUserPassword parameter, which is returned whether or not it is valid. A Boolean needs to be created for that - bValid. The ucaPasscode needs to be filled – Move (StringToUCharArray(sEnteredPassword)) to ucaPasscode. bValid is also returned – Function-Return bValid. This is all that needs to be done to compare the passwords during login.