Nominate our 2022 Qt Champions!

Suggestions on creating a user authentication system.

  • I have created a simple http server that can map various urls to functions, deal with sessions and cookies, as well as read parameters located in a url.

    What I hope to do now is create a login system that will be somewhat secure.
    I do not know how to go on about it though. As a first test what I did was to connect to my server with a url like this:


    I would then read the value of pass and if it was found inside a database that my server is connected to, then I would simply return a success message to the client.

    I do understand from the little that I have read that I will have to change my server in order to use ssl, so the data sent between the client and it will be secure, and also that I will have to use a string encryption (possibly some external library).

    If you have ever dealt with a similar situation or can provide some good advise on how should I implement my user authentication system, I'd be happy to hear.

  • Lifetime Qt Champion


    User authentication should follow either:

    Depending on what your server should serve, a two factor authentication method might also be something to study.

    What framework are you using ?

  • From the aforementioned methods I believe digest authentication would be a good solution for me. In fact I started to do something similar right before I read your answer. I discovered botan that seems to be able to encrypt passwords. Unfortunately after trying to use it (by just including botan.h in a test project it threw a bunch of errors.)

    If by framework you mean what I used to create the server, then nothing. Its a purely Qt server.

    The idea behind this project was that I would have an app that will store some data not on the local machine but on a remote server. Offering something like cloud functionality, in order to back up or share data.

    Having this in mind I created the server. It works fine until now, accepting requests and answering with the correct templates as needed. So being at this point it makes sense to add some sort of authentication or else the user data will be open to anybody.

  • Lifetime Qt Champion

    Did you consider using Qt Cloud Services ? Following your description, they provide what you need

  • Yes I do know about Qt Cloud Services. A while ago i did some tests with that too, and also tried uploading my server to a MAR instance but failed during compilation.

    Wouldn't I still need to develop the login system though?
    They offer the space and database for me to use, but I believe it is up to me to actually implement what I want in one of the languages they support.


    I did a simple test with QCryptographicHash using

    QByteArray result = hash1->hash(myPass.toLatin1(), QCryptographicHash::Sha3_512);

    I have no idea if SHA3 is good enough to depend upon though.

    My other alternative would be using bcrypt
    That I do know is quite a secure algorithm.

    And of curse I would have to modify the server to use SSL right?

    I did also some test with bcrypt and it seems to be working fine.

    Before I continue implementing this, just to be sure, what I am supposed to do is :
    get the users password (through a secure connection),
    read that value in my server,
    hash it, and compare it with the value on my database,
    and I'm done.

  • Lifetime Qt Champion

    It's rather: establish a secure connection to your server, that's simple: make it only accept https connection. Then you need to send the credential from your client to your server and do the checks

  • I guess you are right, establishing a secure connection is very important, but
    I originally did my server only using http, following the various Qt examples. So now I found it hard to make it use https.
    Qt's example on a secure connection did not help me very much because my servers architecture is a little bit different and that example is not... flexible to change I would say.
    Someone here in the forums recommended this, from which I learned a great deal of things but it is using simple http, as most of the servers I have seen in Qt.

  • Lifetime Qt Champion

    For the connection encryption setup, see QSslSocket

  • I tried making my server use QSslSocket (I created some self signed keys) but when trying to connect to it I get

    QIODevice::read: device not open

    So now I am in the process of trying to find what is happening.

  • Lifetime Qt Champion

    How are you creating it ?

  • I have a 'Listener' class that is subclassing QTcpServer

    class Listener : public QTcpServer {

    It is using a worker

    class NewConnectionHandler : public QThread {

    In this worker class I provide a socket for the server to use in each new connection

    QFile certFile(QStringLiteral("./certificate/testC.cer"));
    QFile keyFile(QStringLiteral("./certificate/testR.pem"));;;
    QSslCertificate certificate(&certFile, QSsl::Pem);
    QSslKey sslKey(&keyFile, QSsl::Rsa, QSsl::Pem);
    connect(&sslSocket, SIGNAL(readyRead()), SLOT(read()));
    connect(&sslSocket, SIGNAL(disconnected()), SLOT(disconnected()));
    connect(&readTimer, SIGNAL(timeout()), SLOT(readTimeout()));

    This is pretty much what I am trying to do. The server is highly based from the one in the link I provided, and the one from VoidRealm's youtube video.

  • Lifetime Qt Champion

    On what is the first moveToThread called ?

  • I use moveToThread for the ConnectionHandler class (class NewConnectionHandler) that takes care of creating a socket in the manner described above. I then return it to my listener class. It works for a TcpSocket, but if I try to alter it like above then it stops working.

  • Lifetime Qt Champion

    If you really want to use multithreading then have a look at the Threaded Fortune Server example

  • I have. Usually all my projects get inspired by either the examples or some other project that someone has put on the web. Its just that sometimes I have trouble moving them to the next level, just like with this one.

Log in to reply