0

I am creating a win32 application in C++. The user will need to login with username and password. These will be used to authenticate to a web server and then the application will communicate with the web server. I would like the user to only need to input credentials the first time opening the app by having the username and password saved somewhere. How should I accomplish this? I could just save it in some plaintext file. But it looks like from searches that there is something called DPAPI? I'm not sure what is appropriate for my use. This is my first time creating a win32 application.

user782220
  • 10,677
  • 21
  • 72
  • 135
  • 1
    Have you done the web server authentication part yet? If it's a local IIS web server you can implement windows authentication. Then no credentials get saved anywhere and you don't have to maintain another identity store. Always think twice before reinventing the wheel, _particularly_ identity management (i.e. login/password) – Nick.Mc Oct 22 '18 at 04:38
  • The web server is not local. – user782220 Oct 22 '18 at 05:16
  • OK. What is it? What authentication method is it currently using? There are any number of methods for encrypting / decrypting passwords if you can't avoid having to manage new login/password – Nick.Mc Oct 22 '18 at 05:18
  • BTW it's not normal to encrypt passwords because someone can invariably decrypt them. Persisting a login to a web site is normally achieved by cookies and tokens and stuff so it is really quite reliant on how your web site manages logins. – Nick.Mc Oct 22 '18 at 05:20
  • I'm not sure I understand the question. As far as the web server is concerned this login will look like a normal post request over https I think. I will be using the boost beast C++ library to do this all so I don't want to think about cookies because first off where would I put them securely (that is the same problem right) and beast doesn't support high level cookie stuff. – user782220 Oct 22 '18 at 05:46
  • Don't store passwords. Your website should send back an authentication token and you store this. – Jonathan Potter Oct 22 '18 at 06:10
  • Do you have any requirement for all this to be at all secure. Because the way you are talking it doesn't sound like you are on the path to security. – David Heffernan Oct 22 '18 at 07:07
  • "this login will look like a normal post request over https" So does it do the login post only once? (this is normal as per @JonathanPotter comment), or does it do it every post (this is not normal for web apps, and this _would_ require you to cache a login/password which is also a bad practice). – Nick.Mc Oct 22 '18 at 07:48
  • 1
    In other words.... a standard web API does not require you to cache login/pwd for repeated web requests. That's why I ask what authentication method is your existing web app _currently_ using. If you don't know or if you haven't yet built it then I you are asking the wrong question. Build the web app first with a secure login process and you should not need to cache any login/pwd – Nick.Mc Oct 22 '18 at 08:48
  • 1
    See here for some background on typical web authentication methods. https://stackoverflow.com/questions/1592534/what-is-token-based-authentication – Nick.Mc Oct 22 '18 at 08:48
  • Ok so I did some more research and I believe now I understand what you mean by authentication token. I'm going with that and store it in a file. What kind of security concerns should I have with that? – user782220 Oct 22 '18 at 18:44
  • An authentication token usually expires. So there's no point storing it in a file. And usually it's transparently managed with cookies if you use a suitable API. – Nick.Mc Oct 23 '18 at 09:10

0 Answers0