Client-server application
-
I am going to develop client-server application. First of all i am interested how to realize sessions. Is identifying user by IP after authorization the best way? Or sending login with password in packets each time is better. Does QT have already done decisions?
-
Using the IP address for authentication is nonsense! First of all, users with dial-up internet connection (like DSL) get a new IP address every time they connect (or after 24h). Thus IP address 123 might be assigned to "Alice" now, but two hours later that very same address might be assigned to "Bob". Also there may be a large number of computers (e.g. a complete company or a complete university!) connected to the Internet trough a NAT router. So it's easily possible that you have hundreds of users with the very same (public) IP address...
You will need to authenticate the session with login + password, but don't even dare to send the password un-encrypted. Send them via encrypted connection - or use a challenge-response method. Also never (never ever!) store passwords on the server as plain text. Store (salted!) hashes of passwords.
-
The documentation says
The session manager is used to save the session, e.g., when the machine is shut down, and to restore a session, e.g., when the machine is started up. We recommend that you use QSettings to save an application's settings, for example, window positions, recently used files, etc. When the application is restarted by the session manager, you can restore the settings.For network app i'd recommended use array of password+login and session parameters. In case accessing is done without passwords you can generate some unique data for identify user and send back to him. All subsequent requests will be done with this identifier, in case a long idle identifier on server side will be destroyed and user start new session.
-
What is your idea of what this session is supposed to represent?
Normally, a session would just be the time a TCP connection stays open. Why do you think you need to send some kind of token back and forth the whole time?Anyway, if you want your sessions to survive disconnects, for instance if you're going to be using very unrelyable networks, you might want to consider having the server send a token to the client after the log in that can be used as the session key. Obviously, such tokens should not be exchanged in the plain. Use an SSL connection instead, otherwise you're going to be vunerable to man-in-the-middle attacks.
-
I am never used QSslSocket here are some examples:
"http://www.developer.nokia.com/Community/Wiki/Sample_QSslSocket_Example":http://www.developer.nokia.com/Community/Wiki/Sample_QSslSocket_Example
"http://qt-project.org/forums/viewthread/21401":http://qt-project.org/forums/viewthread/21401
"http://doc.qt.digia.com/4.7/network-securesocketclient.html":http://doc.qt.digia.com/4.7/network-securesocketclient.html -
Using an SSL socket is not that much more complicated than using a plain TCP socket. If you are going to allow authentication based on a token, you should IMHO not exchange this token in plain text over an open connection. Not unless you really want your application to get hacked...
-
I did enough efforts but I have never worked with SSL. Example would help me.
http://qt-project.org/forums/viewthread/21401 this is server example. But I don't know how can I make it working.This attempt does not work.
[CODE]
#include <QApplication>
#include <QtNetwork/QSslSocket>
#include <QDebug>class Server : public QObject
{
public:
void f()
{
m_socket = new QSslSocket(this);
m_socket->setSocketDescriptor(handle);
m_socket->setProtocol(QSsl::SslV3);QByteArray key; QByteArray cert; QFile file_key("../ssl/server.key"); if(file_key.open(QIODevice::ReadOnly)) { key = file_key.readAll(); file_key.close(); } else { qDebug() << file_key.errorString(); } QFile file_cert("../ssl/server.crt"); if(file_cert.open(QIODevice::ReadOnly)) { cert = file_cert.readAll(); file_cert.close(); } else { qDebug() << file_cert.errorString(); } //qDebug() << key + "\n" + cert; QSslKey ssl_key(key, QSsl::Rsa); QSslCertificate ssl_cert(cert); m_socket->setPrivateKey(ssl_key); m_socket->setLocalCertificate(ssl_cert); m_socket->startServerEncryption(); }private:
QSslSocket m_socket;
};int main( int argc, char **argv )
{
Server server;
server.f();
}
[/CODE] -
In addition to what Andre said: Are sure that "../ssl/server.crt" is the right path ?
-
I created an application object but code is still not compiling as I expected.
main.cpp:10: error: no match for 'operator=' in '((Server*)this)->Server::m_socket = (operator new(8u), (<statement>, ((QSslSocket*)<anonymous>)))'
[code]
#include <QApplication>
#include <QtNetwork/QSslSocket>
#include <QDebug>class Server : public QObject
{
public:
void f()
{
m_socket = new QSslSocket(this);
m_socket->setSocketDescriptor(handle);
m_socket->setProtocol(QSsl::SslV3);QByteArray key; QByteArray cert; QFile file_key("../ssl/server.key"); if(file_key.open(QIODevice::ReadOnly)) { key = file_key.readAll(); file_key.close(); } else { qDebug() << file_key.errorString(); } QFile file_cert("../ssl/server.crt"); if(file_cert.open(QIODevice::ReadOnly)) { cert = file_cert.readAll(); file_cert.close(); } else { qDebug() << file_cert.errorString(); } //qDebug() << key + "\n" + cert; QSslKey ssl_key(key, QSsl::Rsa); QSslCertificate ssl_cert(cert); m_socket->setPrivateKey(ssl_key); m_socket->setLocalCertificate(ssl_cert); m_socket->startServerEncryption(); }private:
QSslSocket m_socket;
};int main( int argc, char **argv )
{
QApplication app(argc, argv);if (!QSslSocket::supportsSsl()) { QMessageBox::information(0, "Secure Socket Server", "This system does not support OpenSSL."); return -1; } Server server; server.f(); return app.exec();}
[/code] -
Have a look at the declaration of m_socket
-
That's not all for m_socket.
Please, search the documentation a bit "Other libraries":http://qt-project.org/doc/qt-4.8/qmake-project-files.html#declaring-other-libraries
