The best solution for the web registration and login module with VB6.
I'm going to develop a web registration and login module with VB6, I think of the following scenarios:
(1) ASP page
(2) VB6 Form + Winsock
(3) VB6 Form + vbRichClient5 RPC
(4) VB6 Form + WinHttp
I would like to know which one is the best solution? In other words, which one is the easiest, most efficient and secure solution? Any advice and suggestions would be greatly appreciated.
Edit:
Perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.
Last edited by dreammanor; Feb 12th, 2018 at 02:46 PM.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
I have no idea what you are going to do. Could you explain please?
Are you going to develop a VB6 program that generates web pages or what?
Hi Eduardo, perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by dreammanor
Hi Eduardo, perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.
OK, then if you need to get a token with OAuth or OAuth2, you will need Winsock (to set up a local web server in the user machine to get the responde from the browser) and WinHttp to make all comunication with the web server.
If you don't need to deal with OAuth or OAuth2, then just WinHttp.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
OK, then if you need to get a token with OAuth or OAuth2, you will need Winsock (to set up a local web server in the user machine to get the responde from the browser) and WinHttp to make all comunication with the web server.
Not strinctly necessary. Google OAuth2 impl supports custom redurect_url as `urn:ietf:wg:oauth:2.0:oob` especially for desktop apps. In this mode Authorization code is exchanged via browser title as this browser is supposed to be hosted inside a form of the application. Then just in case the user is instructed to close the page but usually the app closes the hosted browser immediately upon title change. This works very consistently and does not require any redirects, esp. when user's workstation is behind (multiple) firewalls.
In OAuth2 the idea is this Authorization code to be subsequently once exchanged for access_token and/or refresh_token for later use. The VbGcp (google cloudprint) sample I mentioned above does the whole OAuth2 + REST service access.
The user management part is hard -- this is Google Accounts interface, with all registeration and validation, password lifecycle/reset, 2FA, authorization consent screens, auditing, linked apps management, etc.
Usually security is off-loaded to AD or some LDAP implementation. Then a stock user registration web-interface is bolted to this. Then some OAuth2 impl is bound to the LDAP server like IdentityServer esp. if some kind of federation is required (e.g. foreign e-mail registrations + our Windows domain accounts to be valid for a system).
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
as this browser is supposed to be hosted inside a form of the application.
That's allowed but is considered a bad practice.
The best practice is to let the user to autenticate with the browser that he normally uses to navigate.
If I, as an user, had to enter some important credentials, I wouldn't like to do it inside a third party application.
I prefer to do it in my browser, where I can see that there is no pishing or something else.
Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).
If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.
Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.
I don't know if we are talking about the same thing.
Making a temporary localhost "server" to receive the browser answer is an very simple task. A few lines of code.
Making a custom browser that can handle https and whatever the login page could have implemented (or changed), seems crazy to me.
And even if you manage to do that, it doesn't address the confidence issue (in fact it gets worse).
Originally Posted by wqweto
Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.
cheers,
</wqw>
It may be common, and I believe it. Still not good.
If there is no other option, then OK. But the other approach is not too difficult. The only downside is that it needs Winsock.
There are also some winsock replacements with source code out there.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
And even if you manage to do that, it doesn't address the confidence issue (in fact it gets worse).
Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE). And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.
I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.
I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
Not strinctly necessary. Google OAuth2 impl supports custom redurect_url as `urn:ietf:wgauth:2.0ob` especially for desktop apps. In this mode Authorization code is exchanged via browser title as this browser is supposed to be hosted inside a form of the application. Then just in case the user is instructed to close the page but usually the app closes the hosted browser immediately upon title change. This works very consistently and does not require any redirects, esp. when user's workstation is behind (multiple) firewalls.
</wqw>
Very useful information, thank you very much.
Originally Posted by wqweto
In OAuth2 the idea is this Authorization code to be subsequently once exchanged for access_token and/or refresh_token for later use. The VbGcp (google cloudprint) sample I mentioned above does the whole OAuth2 + REST service access.
</wqw>
Great, I'll study your code carefully.
Originally Posted by wqweto
The user management part is hard -- this is Google Accounts interface, with all registeration and validation, password lifecycle/reset, 2FA, authorization consent screens, auditing, linked apps management, etc.
</wqw>
Now Web User Management System is the biggest obstacle I'm facing when developing Web-App.
Originally Posted by wqweto
Usually security is off-loaded to AD or some LDAP implementation. Then a stock user registration web-interface is bolted to this. Then some OAuth2 impl is bound to the LDAP server like IdentityServer esp. if some kind of federation is required (e.g. foreign e-mail registrations + our Windows domain accounts to be valid for a system).
cheers,
</wqw>
Well, I need to spend more time to understand the relevant knowledge. Thank you so much,wqweto.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
as this browser is supposed to be hosted inside a form of the application.
Originally Posted by Eduardo-
That's allowed but is considered a bad practice.
The best practice is to let the user to autenticate with the browser that he normally uses to navigate.
If I, as an user, had to enter some important credentials, I wouldn't like to do it inside a third party application.
I prefer to do it in my browser, where I can see that there is no pishing or something else.
Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).
I often need to host a web browser inside a VB6 Form. Also, I plan to change all my VB6 desktop software's forms to web pages (dynamically generated pages).
Originally Posted by wqweto
If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.
Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.
cheers,
</wqw>
Maybe I could try RC5.WebKit
Originally Posted by Eduardo-
It may be common, and I believe it. Still not good.
If there is no other option, then OK. But the other approach is not too difficult. The only downside is that it needs Winsock.
There are also some winsock replacements with source code out there.
Winsock is also one of the options, but I'm unfamiliar with Winsock.
Last edited by dreammanor; Feb 13th, 2018 at 11:55 AM.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE). And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.
I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.
I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.
cheers,
</wqw>
Yes, Windows Firewall is a very troubling issue in Web-Apps or Remote-Apps.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE).
Yes, it is the browser the user decided to use.
It might not be IE.
Originally Posted by wqweto
And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.
I didn't experience that.
What I'm suggesting is what biggest companies that use OAuth2 for registration suggest for desktop applications. They discourage your approach.
Originally Posted by wqweto
I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.
That would be dishonest anyway.
Originally Posted by wqweto
I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.
cheers,
</wqw>
I wouldn't ask the users to do something that I wouldn't do myself. So I wouldn't ask them to enter a private login information from within my application... unless there is no other way.
And also I would'n make a commercial App that relies on IE installed to function.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
And also I would'n make a commercial App that relies on IE installed to function.
How do you uninstall IE got really curious?
With google's OAuth2 there is no need to enter you user/pass for gmail -- you can generate application passwords for each application. This gets entered once and is never asked again once the `refresh_token` is persisted by the app. It makes entering credentials for a cloud service a one time configuration and I usually keep these in Preferences dialogs of my commercial applications. No complaints so far for hosting IE in an empty form that is very well integrated with the rest of the application (header, footer, icons, whatever). It's just facilitating configuring these settings in a seamless way -- don't see nothing dishonest, au contraire, it looks more thrustworthy.
Binding a listener on localhost does get a firewall exception dialog for your app.exe. You probably got VB6.exe in the allowed applications once and forgot about it.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by wqweto
How do you uninstall IE got really curious?
IE is completely obsolete today. I don't know if it will be integrated in Windows for much longer.
Originally Posted by wqweto
With google's OAuth2 there is no need to enter you user/pass for gmail -- you can generate application passwords for each application. This gets entered once and is never asked again once the `refresh_token` is persisted by the app. It makes entering credentials for a cloud service a one time configuration and I usually keep these in Preferences dialogs of my commercial applications. No complaints so far for hosting IE in an empty form that is very well integrated with the rest of the application (header, footer, icons, whatever). It's just facilitating configuring these settings in a seamless way -- don't see nothing dishonest, au contraire, it looks more thrustworthy.
Binding a listener on localhost does get a firewall exception dialog for your app.exe. You probably got VB6.exe in the allowed applications once and forgot about it.
cheers,
</wqw>
I don't know the particularities of Google. I know the generals of OAuth2, I didn't work with Google so far.
Re: The best solution for the web registration and login module with VB6.
wqweto,
I'm not saying it's a crime, not even that it's something wrong.
I'm just stating the reasons that made me choose the other method.
The point about potential problems with Firewalls, if real, would be a strong point against it.
I've never used it on production.
I started a project to make something with DropBox, but now abbandoned it because I see they are changing the API interface often.
It would bring many problems if they change the API interface, I would have to rewrite the program every time, so I discarded it.
Edit: and about Firewalls: in both cases the user would have to grant access to the internet for the App anyway.
Last edited by Eduardo-; Feb 13th, 2018 at 01:15 PM.
Re: The best solution for the web registration and login module with VB6.
The following is the Microsoft Bing Dictionary (PC desktop edition), all interfaces are Web pages, that is, all Web pages are embedded into the Win-Form. This approach has been adopted by more and more PC desktop software. I'll also use this approach.
Re: The best solution for the web registration and login module with VB6.
Originally Posted by Eduardo-
IE is completely obsolete today. I don't know if it will be integrated in Windows for much longer.
It's a safe bet that IE (and particularly WebBrowser ActiveX control) will be supported long after VB6 runtime is gone from system32. There are even more LOB applications (not only in VB6) that utilize WebBrowser control than those written in VB6, IMO.
The `referesh_token` is part of OAuth2 workflows. Application passwords are Google's way to address end-users' (and your's) concerns of entering gmail credentials in (random) app login forms -- e.g. Outlook randomly asking for POP3 auth on lost conectivity.