Sharing cookies from the browser to the electron app
I log in to my website. Then I start my electron application. I don't want to log in. I need cookies or tokens to log in. Is it possible to share cookies from the browser to the electron app?
Think about this from a security perspective: If any app could read any of the Browser's cookies, then it would be simple to spy on users or impersonate them from the outside (a malicious app, like spyware or something similar). So the answer is "maybe".
Firefox, for example, stores the cookies (assuming that you have not set a primary password for your profile) in an SQLite database in a well-defined folder. So you could definitely try to read them.
However, AFAIK most antivirus software is aware that this is a security problem and will thus nuke any app other than the browser which tries to access them.
So, as long as no antivirus software is installed and Firefox is used without a primary password, you "should be good".
However, this is not a good idea, even from a user perspective: The connection between "I logged in via my browser" and "I am logged in in the app" is not intuitively clear. Also, some (most) users may consider this a breach of trust. After all, if you read their cookies, what else will you read? Who guarantees that you only use the cookies from your particular webpage? An app "randomly" reading your cookies is kind of creepy if you think about it.
Then there's another hurdle to overcome: How do you decide which of the multiple browsers installed on the system (and even if uninstalled, there probably will still be the users' profiles left) is the "right" one? What do you do if multiple browsers have multiple session cookies for your webpage? All this is not as easy as it might seem in the first place.
I suggest you to look into some other technologies, like OAuth2, which may reduce the "login process" inside your app to a single click in case there's a session open for the device. How this is implemented specifically is out of scope for this answer (and hard to explain and understand without the required basic knowledge).
Related
Background:
I'm a tech writer at our company. I dabble in Javascript from time to time, and I consider my js skill level to be maybe advanced beginner/early intermediate.
Anyway, we have Help content created by Adobe's RoboHelp (version 2017). The Help content is static HTML5 .htm pages. The Help gets installed into a folder as a bunch of static .htm pages on our users' computers when they install our product. The users open our .htm pages in their browser via the file:// protocol.
Our Goal:
On our first intro page of our Help, we're planning on showing a "What's New" .htm file inside of an iframe, but we only want to show it the first time a user accesses the documentation.
What I Know and Have Tried:
I know on a real web server, I'd probably just use cookies to control this. But on a local computer, cookies aren't persistent, and after the session closes, the local cookie storage gets deleted.
I know that Javascript accessing the file system unfettered is a security no no and isn't possible.
I've looked into the FileSystem API but the things I've read indicate that it is dead and not in the standard going forward.
My Question:
Is there some other way in Javascript to have limited trusted access to a single settings file etc for this kind of thing? If so, what is the best / recommended way that keeps the user's computer secure but allows us to store and modify settings in a limited fashion so the user has the best experience?
Note that many of these users probably won't have access to the Internet at all, since their computers will be on a factory floor, so a solution that doesn't require talking back to the Internet is ideal.
I assume most of our users log onto their computers with a standard (non-admin) level login. How many users on the same computer will vary, and I don't have that info, though I think it's likely there will be different shifts that use the same computer.
I'm planning on just storing something simple, like boolean values (ie True/False for if this is the first time they've seen the What's New page etc).
Some questions:
Does a user login? What sort of information is planned on being stored?
How many users will be using the same computer?
It's not strictly secure. I wouldn't store any passwords, and personally identifiable info in localStorage, however there are some caveats ( Storing Credentials in Local Storage ), https://softwareengineering.stackexchange.com/questions/152763/html5-localstorage-and-encrypted-sensitive-data ( however if it's on a computer not connected to the internet, then maybe something simple with encryption, might be ... okay )
Might have a look at localStorage.
https://stackoverflow.com/a/44358718/2026508
https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
I would like to capture the "computer name"/"device name" of the user. (Ex: Joes-iPhone) It seems like a nice touch to be able to see what devices have connected with the users login so they can see if there is unauthorized access to their account.
Over and over I see people say this is impossible from a web page for JavaScript, HTML, PHP, etc. Yet when I log into my bank, Facebook, Google. Low and behold, there is every device I've connected with. This means it is most definitely possible.
There was one instance where one of my accounts was logged into by someone and this was a big help in identifying what was going on and I love this feature now. I would like to implement this but am stuck in a city full of dead end roads!
Does anyone have any knowledge of how they are accessing this? Or even theories? I don't care what language or technique.
I'm very curious to see what people come up with. I do have an app for Facebook, so I could see the app accessing it and storing it for the browser site, but I have no app for the bank or Google and I have devices listed in Facebook that were not used within an app, only through the browser. To my knowledge I have never authorized any access to anything beyond what the browser is capable of, so there must be something I'm missing.
Short answer: It's true, it can't be done.
But why not??
Your device name is used when your device connects to your router -- but that's where it stops. Your router doesn't allow that information to be broadcast any further. When your computer/tablet/phone requests a web page, your router is the one actually asking for the page -- and he refers to himself by his public IP, which is shared by all the devices on your LAN.
Second-Best
What can be seen by external Internet entities is your user-agent (the type of browser you're using), which can give someone a pretty good idea of what operating system you're using, and therefore what sort of device you're on (mobile vs. desktop/laptop, Windows vs. Mac, etc.). The user-agent info is available as a string, and can be accessed by PHP via the $_SERVER['HTTP_USER_AGENT'] variable.
The PC name is only accessible through LAN (another PC connected to the same modem/router), if such a request hasn't been blocked on your PC. It is not distributed by browsers.
What browsers transmit is the browser info and operating system as well as the IP address. That's all. Some sites allow you to give a nickname to each machine so you can identify them, and they can then use cookies to remember which is which.
EDIT: The only thing I can see is that they could be using Java or Flash to do it.
I want to save a JSON object to a file at client to persist it for future usage, I have tried following line
window.open("data:text/json;charset=utf-8," + escape(JSON.stringify(obj)));
and it works!! Problem it asks user the location and name of the file for saving. What I want is I want the user completely unaware of the fact that something is being saved for future use or atleast keep it to minimum possible user clicks.
How can I give the file name and location statically in window.open() ?
Thanks in advance,
EDIT
Just to make it clear that " I don't store arbitrary or unwanted data. All the users are registered users of the system." In normal conditions I don't store anything locally. However I want to store some JSON objects if the network was not available at the time of form submission.
One obvious solution will be to use cookies. Since Cookies can be accidentally deleted due to user's browser settings. I need a way to persist the data till the network becomes available. It will be greater to have cross browser support.
If you want to persist data, then use a storage API, you can't play games with the user's filesystem.
You can't do that, it is a question of security on client side.
I want the values for cross-browser support, even if the user changes the browser he/she should be able to proceed from where he left. I am storing information in JSON objects.
I think users don't expect a web application to share information with other browsers on the same machine this way. Also, I doubt many users change their browser too frequently anyway to warrant a privacy-invasive feature like this. You should either consider storing the information on your server (by forcing a user to register or using common accounts like OpenID, Google, Facebook etc.) or on the client side by setting a cookie or using the mentioned storage technologies.
If you really want to restrict stored information to browsers on the same machine, and don't want to permit access by the same user on different machines, you could take a look into LSO ('Flash cookies') which seem to be saved browser independent. You don't need any user confirmation for storing LSOs.
Update: Flash isn't supported by browsers as it used to be and not widely used nowadays, so LSOs aren't a good option any more.
FileSystem APIs is part of HTML5 spec and it is possible to access file system in a sandbox for a certain website in modern browsers, here is a good tutorial:
http://www.html5rocks.com/en/tutorials/file/filesystem/
However I would go with LocalStorage API for that matter which has better browser support:
http://www.w3schools.com/html5/html5_webstorage.asp
FSO.js wraps the temporary/persistent FileSystem API and will allow you to easily read/write files... only supported by Chrome right now, but the spec is coming along fast. :)
As has already been mentioned in the comments, this is not possible without express user consent for obvious security reasons. however, as also mentioned in comments, you shoudl/could store the information in a cookie which will then be retrievable when the user returns.
something like this would do it
document.cookie="cookie_name="+required_value+"; expires=Monday, 04-Dec-2011 05:00:00 GMT";
obviously the expires time will be as long as you need the information to persist.
hope that helps
I have an HTML5 app which is capable of running offline. However, I need to password protect the directory this app resides in to only allow access to authorized users. Initially I was using a PHP login page which set a cookie (outside of the app directory) then redirected to the app directory. The app (JavaScript) checks for the cookie and if it's there it lets the user run the app. If not, it redirects them back out of the app directory.
The problem with this method is that all of the files in the directory are still accessible if referenced directly (which I don't want). I do not want users to have to authenticate every time they hit the directory (it's a one-time authentication process; the cookie is there so that they never have to type their username/password again), and I also want to have a stylized login form (i.e. not using the default browser login box for http authentication).
Finally, because this is an offline HTML5 app, I can't include any PHP code in the app itself.
Any suggestions?
That doesn't sound like something you could do from Javascript. The script would need access to the file system to be able to restrict access to the folder, wouldn't it?
Unless this feature is exposed by the browser via a javascript API, I don't think it will be possible. It sounds like it would be a useful feature though.
Perhaps you could encrypt vital data, but apart from slowing down the application, I'm not sure what good it would do, since all the necessary keys would have to be stored locally as well...
Since the general rule of security on the web is that you can never ever rely on anything that happens client-side (e.g. in Javascript) without a double check on the server-side, this will of course pose a problem when the app is running offline and the server-side is not available :(
Looking at the "make Javascript redirect if the cookie exists" problem, unless I'm mistaken, it would be trivial for a malicious user to edit the Javascript, using for example Firebug, to redirect in any case.
EDIT: By the way, what level of security are you looking for? The "mom won't be able to accidentally access my account"-level (which it sounds like you already achieved), or the "no one, except maybe the NSA, should be able to hack it"-level?
Our company makes the web based application which is priced per workstation.
That means that user/pass credentials should only be used from one particular machine.
Currently what is happening that several users are sharing credentials and we do not have any way to prevent this if they are not doing it concurrently.
The nature on the application is such that user needs to use it once in a while so the inability to work concurrently does not bother the users much and the company loses it's possible revenues.
The application currently is purely AJAX without flash/activeX/Java applets.
The ideal solution would be to read the computer name or IP address of the client with javascript using "Shell.Network" scripting interface.
But this is impossible because of the strict security settings in Internet Explorer. I have to mention that cross browser functionality does not matter and the only browser supported is IE.
Searching google I came across this solution here http://www.reglos.de/myaddress/MyAddress.html but it requires JAVA applet so will not be very convenient.
Are there any other solutions for this?
Your licensing model is not consistent with the delivery model. Change one of them.
Set a cookie on the machine with an id. Retrieve the cookie each time the user logs in. If you see several different cookies alternating for a single user you know you've got something odd going on.
(Of course a single switch may just mean they've moved to a new PC as one off. )
Alternatively, price per usage, 'query' or some other item.
This kind of abuse can probably be detected moderately effectively using the Cookie technique that RichH suggested. At least blatant abuse can be detected quite easily (say 10 licenced users, 100 real users).
But of course, don't lock the user out, just monitor the situation and get your Sales people to call up suggesting that they buy more licences.
We do exactly the same (in terms of licensing and delivery), and I'm sure that you have good business reasons for not changing your model.
Track through sessions per user. Do not allow multiple sessions to a single user. To achieve this you will have to save the session ID into the database and check everytime a user logs in.
To help users who at times have a browser crash and relogin with new session, allow them to sign out their previous session... so you can kill the old session and instead register the new one.
Hope this is useful.
There's no easy answer as your clients (the software) are effectively anonymous and the users are self-identifying.
For IE "locking you out" (I'm hardly an IE expert), but can't the IE settings be set for particular domains? You could simply make it a requirement that the users configure their browsers to give your app superior access.
I don't see any reason why you can't have certain requirements for the users browser (i.e. only IE 6/7/8, these security settings, etc.).