I am developing an app for my school. I am using CoronaSDK to develop it, so I'm doing this in LUA.

I need help making a login part of the app so that only students, parents, and teachers can login with the correct credentials given to them.

I need help with these parts:

1. I have gotten all the login info (school username and password to access computers in the school) for all the students at my school from the technicians, but I don't know if I should put these in a database or in a local file on the app.

2. Once done with the 1st step, I need to know how to make it so that if the student, parent, or teacher puts in the wrong username or password, it won't let them use the app. But if they out the right info inm it allows them to access the app.

3. Next, I also need to know how to make it so that if a student, parent, or teacher forgets their password, instead of coming to the school and asking, the app could send it to the email of the student, parent, or teacher. (the email address is included with the login info in step 1)

It would greatly help me if someone could give me detailed info on how to do this. (code examples would be great!)

Thanks!

~Landon

it really depends on how much do you trust your clients, and does it 100% matter if someone can bypass your security, and get into your app, but i'm going to go off the basis that you don't want unauthorized people to easily get in so:

1. any real world app is using a database, it's a huge security issue to store user/pass with the client(in this case, the app), so i'd recommend using a database/server if that isn't a problem.

2. stopping them from getting into the app is pretty simple, just don't move past the login until your sever responds with an OK message(or the local database succesfully matchs user/pass), if you've managed to create a login page, then you've already done this job, so when the user hit's the login button, simply return to the login if they fail, of course this isn't 100% method to ensure people don't bypass(this is pretty easy to bypass if someone has the know how), but for your needs, it'll probably be fine.

3. if your using a database, i'd write a special message for a forgotten password, when the server get's this message, it'll lookup the e-mail of the associated account, and e-mail the password to them, this way, your local client never has access to the password.

also, instead of storing the password, i'd recommend learning about hashing it, and sending a hash to compare with the server, instead of storing their passwords in plain text. however, when someone needs their password sent, then the server will have to generate a new password for the user, and have them change it on their next login.

i've never used CoronaSDK, so i can't write any examples, but if you've been given this responsibility as a student, i'd hope your teachers were able to recognize you could actually do this.

Thanks for the reply!

I have a few questions:

1. How would I do the below that you said:

[quote name='slicer4ever' timestamp='1341712094' post='4956782']
2. A. stopping them from getting into the app is pretty simple, just don't move past the login until your sever responds with an OK message(or the local database succesfully matchs user/pass), if you've managed to create a login page, then you've already done this job, so when the user hit's the login button, simply return to the login if they fail.

Like how would I make it so that until the server gives an OK, it won't let them get past that stage?
[/quote]
as i said, i've never used CoronaSDK so i can't write any samples, but i'll try and give you some pseudo-code on it.


int State = login_state; //login_state is defined somewhere else
while true do //Main app loop:
if State==login_state then
if login_button_pressed then //once the user clicks the login button:
//Send user name and password(optionally hash the password)
while not response do //wait for a response from your server, optional to add a timeout here, and tell the user that it can't communicate with the serverif it time's out
if response then //once we get a response from the server
if response==OK then
State=app_state; //server has said ok, change to a new state
end //you can optionally do an "else" here for if the response is not OK, to tell the user they've entered incorrect data.
end
end
end
else if(State==app_state) then
//do w/e your app needs to do here...
end
end

this is essentially how i'd do it, i'd stay into the state of login, until i get a response telling me it's ok to move to my main app.

Also, how would I do this:

[quote name='slicer4ever' timestamp='1341712094' post='4956782']
3. if your using a database, i'd write a special message for a forgotten password, when the server get's this message, it'll lookup the e-mail of the associated account, and e-mail the password to them, this way, your local client never has access to the password.

How would I make a "special message" for a forgotten password?
[/quote]
using the above code:

while true do //Main game loop:
if State==login_state then
if forgot_password_button_pressed then
//Send message with username and an special code to server
end
end
end



i would probably use a mysql database, and apache with php for my backend server, instead of writing a special app on the server.

so essentially, when i'm logging in, i'd make a connection with a login page like so:
"http://myserver.com/login.php?user=username&pass=pass"
which would respond with a simple "OK" if successful.

and if i've forgotten the password, i'd use a diffrent page like so:
"http://myserver.com/forgot.php?user=username"
the forgot.php page would create the email, and dispatch it all on the server.

their are probably other things you'd want to do, so other people can't intentionally change another user's password, this is what security questions are generally for.

And finally:


[quote name='slicer4ever' timestamp='1341712094' post='4956782']
but if you've been given this responsibility as a student, i'd hope your teachers were able to recognize you could actually do this.

I have taken this upon myself because [color=#404040]I just want to make it a lot easier for the students, parents, and teachers of my school to get access to all the school info, because I know that no one in my highschool has thought of this idea. So I brought it upon myself to develop this app for my school

[color=#404040]Thanks again for the reply

[color=#404040]~Landon
[/quote]

while a noble idea(and i'll assume your a teacher, not a student?), i'd like to ask how much programming experience you have, some of these idea's are rather simple, and if this is potentially production code and private information your dealing with, it might be better to outsource the project, as well, i'm not in the education system myself, but it seems like their'd be alot of potential paperwork, and testing that'd need to be done before such an application could be distributed, as your dealing with alot of people's potentially private information.

Thanks once again for the reply!

Now I understand what you mean for both steps 2 and 3.

Also, I am a 10th grade student in my highschool. Haha

Finally, what do you mean by "outsourcing the project"?

Also, there is really no personal information besides the email, and that really isn't that personal.

Thanks again!

~Landon

my apologies, when i read your second post, i had thought you might have been a faculty member doing this. still, i'm not certain exactly what information you wish to show, but i'd recommend discussing with a teacher to make sure that the school is willing to support such an idea, you said that no one had thought of this, it might not be that they didn't think of it, it's just your school district board/higher ups/whomever, decided that it wasn't viable for some reason. still, at worse, this is a great learning exercise, and i'd recommend ignoring my "outsourcing", since you can still learn quite a bit by doing this.