Improve security beyond the tutorial.
The tutorial is designed to convey single sign-on basics. Consider these recommendations when
preparing for your production system.
- For easing the understanding of this sample, user, password and expiration date have directly
been encrypted in the cookie. But it's not something to achieve on a production site. If somebody
found the decryption algorithm, he would be able to read user and password values in clear. We
recommend you review the encryption mechanism and provide better security by encrypting a hash of
the login + password, instead of the login + password.
- Function shown in this sample are “fake” functions adapted especially for it. They may contain
some “dirty” code. We recommend you review these functions in detail before adapting them to your
production environment.
- User and password are hard-coded in the 4GL code. A production site would require a
database.
- Production sites requires the use of the HTTPS protocol rather than HTTP in order to avoid the
transmission of clear data through the network.