Resuming XMPP connection upon page refresh - javascript

I am not able to maintain the connection on page refresh.
Initially upon every refresh Strophe connection object is lost. So, the first approach I took was reconnecting on refresh.
I am saving the JID, SID and RID in localStorage send the strophe attach call with saved details.
AuthHandler.attach_params(jid_frm_storage, sid_frm_storage, rid_frm_storage);
The attach callback is in actual AuthHandler Object that I have
created and is logging perfectly that means it is okay to assume that
my attach was successful but still I am not able to send or receive
any messages
My second approach I saved the latest RID in locastorage and used it to attach as I came to know upon researching on already posted problems online that RID changes frequently. (Although please note I am saving RID only when either i send message or receive a message).
I also tried sending presence.
ConnectionHandler.connection.send($pres());
But no luck here either!
In my last approach I re-authorized, .i.e I connected and re-logged in and then sent the auth, still no luck.
How can I resume my connection upon refresh. What are the things That I need to do from Strophes end in order to reconnect and resume the same conversation.
NOTE: I am not that clear with how XMPP works internally but I have been able to push this far by learning-by-doing approach. I know it would be great to wait and learn a bit on xmpp before rushing forward but I can't afford that right now as we are prototyping fast.
Will really appreciate if steps required to accomplish this can be explained in detail.

Solved this:
The best way to solve this is by saving the login credentials in localStorage (mind you it might not meet your security requirements, met mine though) and then make a proper connection again, but this time with same credentials as before.

Related

Session Timeout in Fiori: Does SAP UI5 or the Gateway layer provide an event which gets called when the user's session times out

I'm working on resource locking in SAP Fiori. To be more elaborate I am trying to lock a resource once a user logs in and opens my application and unlock the resource once he logs out or gets logged out.
I am aware of the onExit() event handler which is located in the main.controller.js and is called if the user performs an action which logs him out. This handles all scenarios except one: when the user's session is timed out.
Is anyone aware of a method(UI5 / Gateway layer) that is called once the session time's out?
As far as I think how this is handled is if a user's session is timed out then nothing happens until the user refreshes the screen.
At this point an Odata call is made to fetch data. Once this hits the Gateway it checks and finds out that the session has timed out and triggers a relogin action.
Correct me if I'm wrong. If right does anyone know what is the event handler which does that?
Also I have read up quite a bit about this. This falls under optimistic and pessimistic concurrency. I would like to try a pessimistic apprach and not a optimistic
approach using etags.
Thanks in advance for your time.
Also I cant officially post any code as it would be against policy, but if you have any queries please feel free to ask and I will do my best :). Plus this is more a fact finding mission.
There is no way you can trust a request to be executed from a browser to signal time out. You will end up with locked resources that shouldn't be locked due to lost connectivity, app crashing, battery drain to name a few. A classic problem for web applications!
Instead, you can construct a lock refresh mechanism. Refresh the lock every 30 seconds or so in the background. Just make sure to fetch the latest version of the resource if the lock was ever released!

preventing fraud by visitors using firebug or other consoles

I am trying to prevent fraud in a webproject I am building.
The project is a game which includes multiple websites.
Each website does a ajax check for with each pageview to a webpage on my server for a status update of the game.
The response page, lets say www.domain.com/response.cfm (it is coldfusion) normally returns nothing, but at a certain point of time within the games timeframe, it will display a JSON string with information.
This information is then used by the script that is included on the websites.
So website A has been viewed 100 times (all of its pages), which will generate 100 ajax calls.
The problem I have is that a robot could check the ajax destination too, and much faster. Now I can detect a robot, or could make it difficult for him by using a session or checking for cookies, BUT...
the biggest issue is that I found out you can do a lot in the Firebug script console, or the Safari console. Probably Chrome too.
With this console, they can even evade the crossdomain restriction. I created a simple script that does a couple of calls to the Ajax page and when I go to the same domain first, and then use the console...there is no crossdomain limitation. And you execute all kind of javascript, so in essence someone like me could commit fraud in the game by using the javascript console which masks him as regular browser user.
My question now is: Does anyone know how to prevent this? I tried to disable the usage of the console but I don't think I can. It may be possible to detect if the console is active and then disable MY scripts so the game doesn't work. But I think they can load the script source in the console manually and then the game does work.
Looks like console is a beautiful thing, but a nightmare for me now to prevent people cheating in the game I am creating.
Hope anyone has suggestions.
ps: of course I am trying to implement som server side checks to detect cheating, but most of the time it is not realtime.
UPDATE 19/3/2012
The fraud that I am trying to prevent is cheating in the game by polling the page that generates logic for the next step of the game. This is a serverscript page which generates json code which will trigger a change on the website the game is played on. For your information, websites the are involved have a script in there header, like google analytics, so they will communicate with my server every pageview.
Polling that serverpage can reveal information which will gain the cheaters knowledge or progress.
So i have to prevent people from getting knowledge ahead of other earnest players by monitoring the serverpage which will reveal information at a certain time. I don't want them auto polling it and when info is revealed, the send themselves a notifcation and check the website.
So what I will do is make sure that if people have to many pageviews per second, they are blocked. Plus you need a cookie to be able to join in and you only get a cookie by logging in. Hopefully this will give me enough tools to make it as robust as possible.
Thanks for all your knowledge, people.
It would be very, very difficult to disable web consoles across the majority of browsers, and anyone who managed to do this would probably be exploiting a browser bug. But read on...
First rule of web programming: You can never trust anything you receive from the web client. Anything that gets sent to your data might have been forged or altered intentionally or unintentionally, and even if you did manage to block a web console, what's to stop me from opening it in a different browser which specifically disallows websites with the console? So that's out. As #DCoder mentions in the comments, there are other methods as well, including browser extensions, which would allow user-defined JavaScript to be executed.
So any checking you do has to be server side. I know you're trying to do some checking already, and it's hard to give advice without having more specifics. That said, one way to do this, as far as I can see right now, is to issue each client an ID and store that in a database somewhere. They can't be sequential IDs, and make sure that they're not trivially forgeable even if someone has a bunch of different IDs (for example, you might want to salt the username, and then hash it). Each time a request is made to the server, only issue a response if the last request was >500 ms ago, and update the database accordingly. Expire the ID after logoff or some time.
The first thing you should think about is securing your server, not the client. It's impossible to hide client code from the client. While it might arguably help prevent a few people who want to cheat from cheating, it's not your primary objective. You have to do this from the server side. This means validating the requests on the server to ensure that they conform to your expectations to some degree.
Game companies will
Require user authentication of some kind so they can identify users
Create some rules about possibilities. For example, the laws of physics should apply, so you know when someone has cheated. Something they can validate as human activity.
Ban people who cheat
If you are not sending data continuously over the network, then you have an issue which is unsolvable unless you are willing to make checks on the server securely and continuously over the course of the game. This will increase server load, but that's the unfortunate cost of preventing cheats.

Keeping track of online/offline status in real-time with NowJS/Node.js?

I've got a site where users login and are connected to NowJS on all pages. I'd like to be able to keep track of their status (online/offline) in near-realtime, but I'm not sure the best way to do this. My initial thought was to just use the connect and disconnect events, but this won't work because those get fired each time the user goes to a new page (since the socket connection is closed while the new page loads).
I've got it somewhat working where I record a timestamp in the database entry for that user on the disconnect event, and then when the connect event fires I check if they've accessed the site within the last 30 seconds. If they haven't, I can assume they are starting a new session. On the disconnect event I use setTimeout to see if they are still online 30 seconds from now, and then set their status to offline if not.
While this mostly works, it seems somewhat hacky and has several edge case issues that could be problematic (not to mention the fact that your going to have a new timeout server-side on each page view). Is there a better way to do this that I'm just overlooking?
The right way to do this depends on more than just 'whether there is an open connection'. Are you trying to display to other users whether someone is around/available for chat/whatever? Then you might also consider an inactivity timeout on the page itself (to capture the times when people walk away from their computer without closing the page). If you're doing something else, like metering usage, you might want a different mechanism.
I think the solution here is extending the timeout option for Socket.IO (NowJS uses this internally) or use your hacky solution with setTimeout.
Honestly that seems the best solution considering users can move to another page quickly.
What I ended up doing was creating a global object that holds the persistent ID for the user (so in this case their ObjectId in MongoDB) as the key and the reference to the setTimeout as the value. I then do clearTimeout on a 'connect' event and delete the key from the object when they are considered offline.

Facebook signed_request data and some security concearns

We've just developed a small Facebook puzzle that people win some gifts from our customer. I'd like to ask a few questions since I'm pretty stuck despite tried lots of things. First I'd like to write what we have and then will explain our problems.
What we did so far:
Root of application (/) checks for signed_request in POST params, extracts information from it to see if we've registered the logged in user into our database. This checks are also used to understand if the request is sent from Facebook or not to prevent requests coming outside of Facebook. (will write why we want this)
Once the application is successfully rendered, Facebook JS API takes place, does its checks and sets the fbsr cookie. We use that cookie information while processing ajax requests to check if the request really belongs to the logged in user (e.g.: scores being sent for a user belong to the logged in user).
We implemented CSRF protection and another protection to check if the requests are POST and more specifically AJAX requests and return 40x if not.
Problems:
Despite I do some checks to prevent spoofed scores, I couldn't think of a way that the logged in user could improve its own scores by simply calling the same JS code I do for real scores. We just ignored this for some time until we just found out that some people seem to take advantage of this bug.
One way I thought of is to ignore all requests except coming from Facebook. Since the ajax requests are blocked (cross site) we should have been safe. However this leaded to another problem that, once we redirect users to e.g. leaderboard the signed_request data is lost and our index page returns 40x once the user tries to go back since our application thinks that the user tries to visit our application outside of Facebook.
I hope that I made our problem clear. Gaming time is calculated by Flash (game is programmed in AS3) and it's sent via JavaScript methods to server side. We could have done it in Flash but that only prevents our problem from becoming trivial. Afterall we'd have the same problem if we had implemented the game in HTML5.
Any thoughts, suggestions are really welcome and thanks for your feedback!
This is a bug by design. You are calculating the scores on client side and then send them to the server. The server has no way to validate if the score is correct. This can ALWAYS be faked by clever users.
Never ever ever calculate things that could give users advantage on clientside. Clientside is evil. Everything on clientside can be manipulated - no matter how hard you try.
Calculate your scores on the server and use the client side only to display them. Every other solution is crackable.

How google doc sync two document at the same time?

I am making a cooperation application like google docs, but I found this is different to do on the web. The problem is, when the user typing, another user should see the update at the same time. But what actually behind the screen? Is that when the user have an action, it sent a http request, and write into database. At the same time, another user get the action from database, and rendering the result that the user just type. If use this way to implement, the database need to keep read and write.....apart from this solution, how can I sync two people work on the fly? Thank you.
Check out something like this http://pusherapp.com/
Or http://www.tornadoweb.org/
Both are good at real time pushes without constant AJAX requests that will put a lot of strain on your server

Categories

Resources