C# storing information
Hi there,
I am working on a server program in C#, but I've run into a problem. When a user connects, his account is authenticated, etc. That's all fine.
But the problem is that the server will have to execute alot of query's and functions with the connected user's username, password, etc. as parameter. This wouldn't be a problem if I only had 1 client, but multithreading and multiple connections make this a tough task.
Currently I have several function, which I have to call like this: (mostly for security reasons)
functionName(action, value, username, password)
It just seems like overkill to me, because I have to use this function maybe 5-6 times in one 1 string.
I guess I'm just looking for a good way to store the information of multiple connected users without the threads mixing up the information.
Thank you for your time.
What I'm currently doing:
Like I said before, at this moment the client always sends his username and encrypted password to the server. And the username and password will always be added as parameter for most methods so I can check the database to see if the data is correct.
It makes the code look awefull and redundant.
Edit:
At the moment the user will log in using his password and username. Then I encrypt the information and send it in the form of a packet.
The server decrypts the information and checks the username and password in the database.
After that I cre开发者_JS百科ate the GUID and send it back to the client so it can save the ID and add it to every following packet.
Now how do I (server side) check if the GUID in the packet from the client is a legal one server side? -do I just store the GUID in the database temporarily?
You might consider making an authenticate method that returns a secure token, perhaps a GUID
Guid Authenticate(username, password)
and pass this around in the methods instead of the username.password
functionname(action, value, securityToken)
I think you're thinking about this all wrong. You should only have to send the users password on login only, forget about it after that. If you want to check the users identity, use their unique identifier.
What I do in scenarios like that is usually to have the user first login with their username/password and return a token that they can use instead for subsequent calls. The token has an expiration time and you can also tie it to their ip for additional security
a clever thing you can do is include a hash as parth of the token so you can do an initial check if the token is valid without hitting the database, say that your token is
dsklfgjkgjdlg, you have a secret token hashstring, say "craemefraice", you hash the token with your secret string and append it to your token so it might be dsklfgjkgjdlg:[thehash]
when you want to check a token then you simply split the string by : , hash it with your secret string and checks if it matches the token. If not it's not valid, if it is you check the credentials against the database
If I understand correctly you could create some class and instantiate it first with parameters username, password, then it will have only functionName(action,value) method with just 2 arguments, you will call it like you do right now a 5-6 times in one string (??) and inside it will call actual functionName with 4 parameters adding those 2 parameters from its fields.
like SecureFunctionCaller sfc= SecureFunctionCaller(username,password); sfc.functionName(action,value).
You might have to copy all those functions to this class so it depends on the number. Also you could create a User object and have both username and password in it and use 3 parameter functions instead of 4 parameters if that would be better.
ps: that said I agree that you might possibly doing it all wrong architecture wise but with so little info its hard to guess
PPS: after your edit its obvious now that you should first authenticate user so he has a security token and then use it instead both parameters ive thought you were describing method calls on server, not client.
精彩评论