Results 1 to 22 of 22

Thread: The best solution for the web registration and login module with VB6.

  1. #1

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    The best solution for the web registration and login module with VB6.

    I'm going to develop a web registration and login module with VB6, I think of the following scenarios:
    (1) ASP page
    (2) VB6 Form + Winsock
    (3) VB6 Form + vbRichClient5 RPC
    (4) VB6 Form + WinHttp

    I would like to know which one is the best solution? In other words, which one is the easiest, most efficient and secure solution? Any advice and suggestions would be greatly appreciated.


    Edit:
    Perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.
    Last edited by dreammanor; Feb 12th, 2018 at 02:46 PM.

  2. #2
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    I have no idea what you are going to do. Could you explain please?
    Are you going to develop a VB6 program that generates web pages or what?

  3. #3

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    I have no idea what you are going to do. Could you explain please?
    Are you going to develop a VB6 program that generates web pages or what?
    Hi Eduardo, perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.

  4. #4
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by dreammanor View Post
    Hi Eduardo, perhaps it should be called a web user (account) management module. I want to develop a web user (account) management module for my PC-Desktop program, and the users information (accounts information) is stored on the cloud-server.. In other words, only after uses have registered and successfully logged on to the cloud server, they can use my PC-Desktop program.
    OK, then if you need to get a token with OAuth or OAuth2, you will need Winsock (to set up a local web server in the user machine to get the responde from the browser) and WinHttp to make all comunication with the web server.

    If you don't need to deal with OAuth or OAuth2, then just WinHttp.

  5. #5

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Hi Eduardo, thank you for your reply. But I didn't find an example of OAuth or OAuth2 on vbForums.

  6. #6
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by dreammanor View Post
    Hi Eduardo, thank you for your reply. But I didn't find an example of OAuth or OAuth2 on vbForums.
    What do you need, OAuth or OAuth2?
    I only have experience with OAuth2, and for connecting to DropBox.

  7. #7
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    OK, then if you need to get a token with OAuth or OAuth2, you will need Winsock (to set up a local web server in the user machine to get the responde from the browser) and WinHttp to make all comunication with the web server.
    Not strinctly necessary. Google OAuth2 impl supports custom redurect_url as `urn:ietf:wg:oauth:2.0:oob` especially for desktop apps. In this mode Authorization code is exchanged via browser title as this browser is supposed to be hosted inside a form of the application. Then just in case the user is instructed to close the page but usually the app closes the hosted browser immediately upon title change. This works very consistently and does not require any redirects, esp. when user's workstation is behind (multiple) firewalls.

    In OAuth2 the idea is this Authorization code to be subsequently once exchanged for access_token and/or refresh_token for later use. The VbGcp (google cloudprint) sample I mentioned above does the whole OAuth2 + REST service access.

    The user management part is hard -- this is Google Accounts interface, with all registeration and validation, password lifecycle/reset, 2FA, authorization consent screens, auditing, linked apps management, etc.

    Usually security is off-loaded to AD or some LDAP implementation. Then a stock user registration web-interface is bolted to this. Then some OAuth2 impl is bound to the LDAP server like IdentityServer esp. if some kind of federation is required (e.g. foreign e-mail registrations + our Windows domain accounts to be valid for a system).

    cheers,
    </wqw>

  8. #8
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    as this browser is supposed to be hosted inside a form of the application.
    That's allowed but is considered a bad practice.
    The best practice is to let the user to autenticate with the browser that he normally uses to navigate.

    If I, as an user, had to enter some important credentials, I wouldn't like to do it inside a third party application.
    I prefer to do it in my browser, where I can see that there is no pishing or something else.

    Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).

  9. #9
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).
    If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.

    Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.

    cheers,
    </wqw>

  10. #10
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.
    I don't know if we are talking about the same thing.
    Making a temporary localhost "server" to receive the browser answer is an very simple task. A few lines of code.
    Making a custom browser that can handle https and whatever the login page could have implemented (or changed), seems crazy to me.

    And even if you manage to do that, it doesn't address the confidence issue (in fact it gets worse).

    Quote Originally Posted by wqweto View Post
    Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.

    cheers,
    </wqw>
    It may be common, and I believe it. Still not good.
    If there is no other option, then OK. But the other approach is not too difficult. The only downside is that it needs Winsock.
    There are also some winsock replacements with source code out there.

  11. #11
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    And even if you manage to do that, it doesn't address the confidence issue (in fact it gets worse).
    Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE). And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.

    I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.

    I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.

    cheers,
    </wqw>

  12. #12

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    What do you need, OAuth or OAuth2?
    I only have experience with OAuth2, and for connecting to DropBox.
    My Web-Login (or Web User Management) system needs to exchange data with third-party payment systems and third-party mobile IM systems.

  13. #13

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    Not strinctly necessary. Google OAuth2 impl supports custom redurect_url as `urn:ietf:wgauth:2.0ob` especially for desktop apps. In this mode Authorization code is exchanged via browser title as this browser is supposed to be hosted inside a form of the application. Then just in case the user is instructed to close the page but usually the app closes the hosted browser immediately upon title change. This works very consistently and does not require any redirects, esp. when user's workstation is behind (multiple) firewalls.
    </wqw>
    Very useful information, thank you very much.

    Quote Originally Posted by wqweto View Post
    In OAuth2 the idea is this Authorization code to be subsequently once exchanged for access_token and/or refresh_token for later use. The VbGcp (google cloudprint) sample I mentioned above does the whole OAuth2 + REST service access.
    </wqw>
    Great, I'll study your code carefully.

    Quote Originally Posted by wqweto View Post
    The user management part is hard -- this is Google Accounts interface, with all registeration and validation, password lifecycle/reset, 2FA, authorization consent screens, auditing, linked apps management, etc.
    </wqw>
    Now Web User Management System is the biggest obstacle I'm facing when developing Web-App.

    Quote Originally Posted by wqweto View Post
    Usually security is off-loaded to AD or some LDAP implementation. Then a stock user registration web-interface is bolted to this. Then some OAuth2 impl is bound to the LDAP server like IdentityServer esp. if some kind of federation is required (e.g. foreign e-mail registrations + our Windows domain accounts to be valid for a system).

    cheers,
    </wqw>
    Well, I need to spend more time to understand the relevant knowledge. Thank you so much,wqweto.

  14. #14

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    as this browser is supposed to be hosted inside a form of the application.
    Quote Originally Posted by Eduardo- View Post
    That's allowed but is considered a bad practice.
    The best practice is to let the user to autenticate with the browser that he normally uses to navigate.

    If I, as an user, had to enter some important credentials, I wouldn't like to do it inside a third party application.
    I prefer to do it in my browser, where I can see that there is no pishing or something else.

    Edit: besides, doing that you depends on some Internet Explorer installed on the end user machine (and being available for your program).
    I often need to host a web browser inside a VB6 Form. Also, I plan to change all my VB6 desktop software's forms to web pages (dynamically generated pages).

    Quote Originally Posted by wqweto View Post
    If you suggest implementing a custom web server to point `redirect_url` to localhost, then perhaps implementing a custom browser with winsock might be simpler. I consider both a bit off the limits of acceptable not-invented-here syndrom.

    Entering credential into LOB apps is common, usually upon startup the user has to authenticate somewhere, unless using saved credentials (the `refresh_token` in OAuth2 terms) so this will be no surprise IMO.

    cheers,
    </wqw>
    Maybe I could try RC5.WebKit

    Quote Originally Posted by Eduardo- View Post
    It may be common, and I believe it. Still not good.
    If there is no other option, then OK. But the other approach is not too difficult. The only downside is that it needs Winsock.
    There are also some winsock replacements with source code out there.
    Winsock is also one of the options, but I'm unfamiliar with Winsock.
    Last edited by dreammanor; Feb 13th, 2018 at 11:55 AM.

  15. #15

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE). And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.

    I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.

    I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.

    cheers,
    </wqw>
    Yes, Windows Firewall is a very troubling issue in Web-Apps or Remote-Apps.

  16. #16
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    Wait, in your suggested solution there is still a browser involved -- the default one, which might not be IE (but still might be exactly IE).
    Yes, it is the browser the user decided to use.
    It might not be IE.

    Quote Originally Posted by wqweto View Post
    And then this browser redirects to a custom web server component of the application, that must be listening on localhost which shows a warning from windows firewall that might get rejected by accident by the scared end-user.
    I didn't experience that.
    What I'm suggesting is what biggest companies that use OAuth2 for registration suggest for desktop applications. They discourage your approach.

    Quote Originally Posted by wqweto View Post
    I'll be less confident in an app if it shells a browser to enter my login (like 90% of phishing attacks) than a desktop app that shows a form with it's logo and icons that prompts me for credentials. Probably 90% of end-users will not notice it's a hosted browser.
    That would be dishonest anyway.

    Quote Originally Posted by wqweto View Post
    I'm just suggesting that the web server part can be skipped to reduce app's moving parts, it is not required by OAuth2 for so called "installed apps" and just introduces unneeded complexity.

    cheers,
    </wqw>
    I wouldn't ask the users to do something that I wouldn't do myself. So I wouldn't ask them to enter a private login information from within my application... unless there is no other way.

    And also I would'n make a commercial App that relies on IE installed to function.

  17. #17
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by dreammanor View Post
    My Web-Login (or Web User Management) system needs to exchange data with third-party payment systems and third-party mobile IM systems.
    Well, then you need to study their web API's. Everyone is different.

  18. #18
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    And also I would'n make a commercial App that relies on IE installed to function.
    How do you uninstall IE got really curious?

    With google's OAuth2 there is no need to enter you user/pass for gmail -- you can generate application passwords for each application. This gets entered once and is never asked again once the `refresh_token` is persisted by the app. It makes entering credentials for a cloud service a one time configuration and I usually keep these in Preferences dialogs of my commercial applications. No complaints so far for hosting IE in an empty form that is very well integrated with the rest of the application (header, footer, icons, whatever). It's just facilitating configuring these settings in a seamless way -- don't see nothing dishonest, au contraire, it looks more thrustworthy.

    Binding a listener on localhost does get a firewall exception dialog for your app.exe. You probably got VB6.exe in the allowed applications once and forgot about it.

    cheers,
    </wqw>

  19. #19
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by wqweto View Post
    How do you uninstall IE got really curious?
    IE is completely obsolete today. I don't know if it will be integrated in Windows for much longer.

    Quote Originally Posted by wqweto View Post
    With google's OAuth2 there is no need to enter you user/pass for gmail -- you can generate application passwords for each application. This gets entered once and is never asked again once the `refresh_token` is persisted by the app. It makes entering credentials for a cloud service a one time configuration and I usually keep these in Preferences dialogs of my commercial applications. No complaints so far for hosting IE in an empty form that is very well integrated with the rest of the application (header, footer, icons, whatever). It's just facilitating configuring these settings in a seamless way -- don't see nothing dishonest, au contraire, it looks more thrustworthy.

    Binding a listener on localhost does get a firewall exception dialog for your app.exe. You probably got VB6.exe in the allowed applications once and forgot about it.

    cheers,
    </wqw>
    I don't know the particularities of Google. I know the generals of OAuth2, I didn't work with Google so far.

  20. #20
    PowerPoster
    Join Date
    Feb 2017
    Posts
    4,995

    Re: The best solution for the web registration and login module with VB6.

    wqweto,

    I'm not saying it's a crime, not even that it's something wrong.
    I'm just stating the reasons that made me choose the other method.

    The point about potential problems with Firewalls, if real, would be a strong point against it.

    I've never used it on production.
    I started a project to make something with DropBox, but now abbandoned it because I see they are changing the API interface often.
    It would bring many problems if they change the API interface, I would have to rewrite the program every time, so I discarded it.

    Edit: and about Firewalls: in both cases the user would have to grant access to the internet for the App anyway.

  21. #21

    Thread Starter
    PowerPoster
    Join Date
    Sep 2012
    Posts
    2,083

    Re: The best solution for the web registration and login module with VB6.

    The following is the Microsoft Bing Dictionary (PC desktop edition), all interfaces are Web pages, that is, all Web pages are embedded into the Win-Form. This approach has been adopted by more and more PC desktop software. I'll also use this approach.
    Attached Images Attached Images  

  22. #22
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: The best solution for the web registration and login module with VB6.

    Quote Originally Posted by Eduardo- View Post
    IE is completely obsolete today. I don't know if it will be integrated in Windows for much longer.
    It's a safe bet that IE (and particularly WebBrowser ActiveX control) will be supported long after VB6 runtime is gone from system32. There are even more LOB applications (not only in VB6) that utilize WebBrowser control than those written in VB6, IMO.

    The `referesh_token` is part of OAuth2 workflows. Application passwords are Google's way to address end-users' (and your's) concerns of entering gmail credentials in (random) app login forms -- e.g. Outlook randomly asking for POP3 auth on lost conectivity.

    cheers,
    </wqw>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width