CodeCharge Studio

Advanced Security Settings

The "Advanced Security Settings" dialog provides extended security configuration options, which further improve the usability and security of your Web application. The following options are provided:

Parameter Description
Session Variables In this section you can specify the names of three session variables listed below, which will be created automatically upon a user's login and preserved for the duration of the user session. A user is considered to be logged in as long as these variables are present.
For security reasons it is recommended that you use different variable names for different applications hosted on the same server, especially if served via a single domain name. This will prevent a user from having access to multiple applications after logging in into one.
User Id Variable Defines the name of the session variable that stores the id of the currently logged-in user.
You can also use this session variable as form data source parameter, for example to display data that belongs to the current user.
User Login Variable Defines the name of the session variable that stores the login of the currently logged-in user.
Group ID Variable Defines the name of the session variable that stores the security group of the currently logged-in user. This session variable is then used to determine if the current user has access to restricted pages and forms.

[x] Encrypt passwords using Enable this feature if:
  • User passwords are (or will be) stored in the database in an encrypted format..
  • You want to store passwords in the database in an encrypted format when entered by users on user registration and user maintenance forms (optional).


By enabling  this feature the login page will validate each user's password by encrypting it and searching for a matching encrypted password in the database. The passwords must already be encrypted in the database, or you must  create a user registration form that saves passwords in an encrypted format as described in Implementing Password Encryption.
CodeCharge Studio provides two methods of protecting password confidentiality: encrypting passwords using a database function or programming code (code expression).

Notes:

  • Enabling, disabling, or changing the encryption method may invalidate all passwords already stored in the database using a previous encryption method.
  • Using encryption can make it more difficult to validate user passwords by external applications that may not support encryption or utilize a different encryption algorithm.
Database Function Database encryption function or database expression to be used to encrypt the password string.

Provide the name of a database function that supports single string value to be encrypted, however, you do not need to include the string argument.
Sample values for MySQL:

MD5
PASSWORD
SHA1

Alternatively, you can specify a database expression and include {password} as the argument in place of the string to be encrypted.
Sample values for MySQL:

MD5({password})
PASSWORD({password})
SHA1({password})

Note: User passwords transferred from one database type to another, for example from MySQL to MS SQL Server, may become invalid if the new database doesn't support a compatible encryption function.

Code Expression Programming code to be used to encrypt the password string. Specify an encryption function and include {password} in place of the string to be encrypted.
Examples of code expressions for supported programming languages:
Language Expression
ASP MD5({password})
PHP md5({password})
Perl md5_hex({password})
ColdFusion Hash({password})
VB.Net SecurityUtility.MD5({password})
C# SecurityUtility.MD5({password})
Java Utils.MD5 ({password})

[x] Enable 'Remember Me' feature Enables the Remember Me feature on login forms and allows the application to skip the login process during subsequent login attempts.
Cookie Name Defines the name of the cookie that stores user login information.
Expiring in
(Numeric)
Specifies the number of days before the cookie expires. The user will be prompted to login again after this period.
Sliding Expiration Specifies whether the cookie expiration should be reset to the "Expiring in" value upon each successful login. This will extend the life of the cookie each time when the user is successfully authenticated.
Encryption Key 128-bit encryption key used to encrypt the user login and password before storing them in a cookie. CCS automatically generates a default encryption key, unique for each project, which then can be changed in this dialog. However, changing the encryption key will reset the 'Remember me' feature by requiring users with previously saved passwords to re-login manually during their next visit.


   

See also


On-line, printable versions and updates