Login to a web site for the program

Navigation
3

I have a site programmed in PHP with login and I'm making a desktop application (Windows) and I'm trying to login to it from those system on the web.

My system in PHP works as follows: it creates a session in PHP and stores session-relevant data in a Cookie. The authorization system has 4 returns: 1, when login is successful, -1 when the password is incorrect, -2 when the user is incorrect, and -3 when the user misses the password more than 5 times in less than 1 hour (anti Brute Force).

I've got a code that searches the web (I'm going to be owed the references, it's been a while since I found it) and it's functional: if I try to log into my site with my credentials, the return is 1, returns are correct as well.

The big problem is to be able to "handle" this session. When we close the browser for example, I will be logged in when I open it because Cookie will be "holding" the session. To do this test, I created a page logged.php , and basically the return is 'Logged' for when it is logged in and the opposite if not.

In the browser, it works normally, already in my program I'm always logged off!

Here is my method login() , responsible for all the work: 

private void login()
{
    string formUrl = "http://exemplo.com.br/auth.php";
    string formParams = string.Format("username={0}&password={1}", username.Text, password.Text);
    string cookieHeader;
    WebRequest req = WebRequest.Create(formUrl);
    req.ContentType = "application/x-www-form-urlencoded";
    req.Method = "POST";
    byte[] bytes = Encoding.ASCII.GetBytes(formParams);
    req.ContentLength = bytes.Length;
    using (Stream os = req.GetRequestStream())
    {
    os.Write(bytes, 0, bytes.Length);
    }
    WebResponse resp = req.GetResponse();
    cookieHeader = resp.Headers["Set-cookie"];
    MessageBox.Show(cookieHeader);
    string pageSource;
    string getUrl = "http://exemplo.com.br/logged.php";
    WebRequest getRequest = WebRequest.Create(getUrl);
    getRequest.Headers.Add("Cookie", cookieHeader);
    WebResponse getResponse = getRequest.GetResponse();
    using (StreamReader sr = new StreamReader(getResponse.GetResponseStream()))
    {
    pageSource = sr.ReadToEnd();
    MessageBox.Show(pageSource);
    }
}

I have some other sub-questions like: Is this safe? What would be the best way to do the returns and add data? Is using a POST / GET for a page with a SELECT in MySQL? But we'll leave it for later!

    
asked by anonymous 20.09.2014 / 23:18

2 answers

5

Use CookieContainer (): 

string formUrl = "http://exemplo.com.br/auth.php";
string formParams = string.Format("username={0}&password={1}", username.Text, password.Text);
string cookieHeader;

var cookies = new CookieContainer(); // coloque essa linha

var request = WebRequest.Create(formUrl) as HttpWebRequest; // linha modificada
//algumas modificaçoes abaixo
request.CookieContainer = cookies;
request.ContentType = "application/x-www-form-urlencoded";
request.Method = "POST";

byte[] bytes = Encoding.ASCII.GetBytes(formParams);
request.ContentLength = bytes.Length;
using (Stream os = request.GetRequestStream())
{
    os.Write(bytes, 0, bytes.Length);
}

// removi uns codigos aqui, nao precisa ler a resposta do servidor manualmente.
request.GetResponse(); 

string getUrl = "http://exemplo.com.br/logged.php";
var getRequest = WebRequest.Create(getUrl) as HttpWebRequest;
getRequest.CookieContainer = cookies;
getRequest.Method = "GET";
WebResponse getResponse = getRequest.GetResponse();
try
{
    using (StreamReader sr = new StreamReader(getResponse.GetResponseStream()))
    {
        //ESCREVE A SAIDA:
        MessageBox.Show(sr.ReadToEnd());
    }
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
    throw;
}

Reference: Link

In the security issue, please see the @chambelix answer that is very well explained.

    
20.09.2014 / 23:42
2

I find myself developing a project where the essence is almost the same ... A desktop software that accesses a php and mysql system that holds the identities of the users.

When reading your question and observing some concern about security issues and defenses of possible attacks, I wanted to inform you that a system that records contents in cookies security is clearly not a point ... In other words, never trust the data from the client being an easily manipulated cookie.

Then many other levels have to be taken into account like concurrent accesses, authenticity of users, etc ...

A cookie should take a long time to hold the Session_Id and on the server side handle the session securely, but this is another war.

    
21.09.2014 / 17:20
Call PHP variable within a Javascript function What is the purpose of unset as cast in PHP?