Disable possibility to edit sessionstorage variable in console - javascript

So, I am creating this website that sets the sessionstorage variable 'logedIn' to true when the user succesfully logs in like this:
sessionStorage.setItem('logedIn', 'true')
That variable is used on the other webpages to see if the user is logged in before showing content, so that users who aren't logged in can't have access to the webpage. It works like a charm, but I have noticed, that if I manually type the code in the google chrome console, I can easily change the sessionvariable. This is obviously not wanted.
My question is: how can I resolve this problem?
PS: the reason why I don't use PHP session variables is because the login procedure is done with javascript. When the login button is pressed, ajax sends the given credentials to a php script, which checks the database. If it is successfull, it sends back a code to the ajax complete function, which sets the variable. If you have a better method of doing what I need to do, you are very welcome ;)
Thanks, Zeno

You can't and it's not safe. After AJAX result you should set cookies and validate them on every page on the server side.

Related

Stop a user from navigating past a signin form via the url

I have a website which contains a sign in page which should only allow the people knowing the info to pass the page, but if I type /nextpage.html in the url, it takes me past the sign in page. How can I prevent this? (I use javascript, not php)
If you use ASP.net backend for authentication. Then you do the following:
Upon successful sign in you have to set some session variable in
ASP.net
Then on every page load you need to make an ajax call to
check if the session variable is set, if it is, you show the content
that you wish to show to an authenticated user, otherwise, show them
a log in form.
you can put a variable which holds a user login status in session. if user is not logged in make it false or 0 after login make it 0 or true and put in session and check it always before page loads. and destroy session and make it false or 0 on logout.
So after a while of trying different methods, I came across javascript session- and localstorage. This is what helped me since variables stored in them can be used across multiple .js files.
Thanks for all the help!

Load page if there is a session, else redirect

So, basically, I want to do a very simple check, if there is not a session logged in, then I redirect the user to signin.html, I can do so by making a ajax request to my server in which it'll respond to me and then on the front-end I do something like
if(session){
//continue
}else{
window.location.href="signup.html"
}
However, my problem is that, for that 1 second or so that it takes the server to respond, since you can't use syncronous ajax requests anymore, my HTML keeps loading in the background allowing the user to see it for a split second, I'm trying to do something like if you were trying to access www.youtube.com/account without being logged in, it redirects you to google to sign in, without even loading its account.html. Also i'm kind of new to node... Hence my question... I think I might need to do this server-side, but I don't know how. Thanks in advance.
If you are using express, you can use res.render() to not send the view to the client until the session is logged in.
if(session){
res.render(indexHtml);
}else{
res.render(signupHtml);
}

Simple page authentication

I'm trying to hide access to a certain page on a rails app without using something like devise or sorcery. I want to create a password inside the actual app code, so when you access the page it just shows an input, and if the password is entered is correct, it will show the page. Could I get this done with Javascript?
Just to be clear, I'm not in favor of doing authentication on the front-end since it is very very insecure. But if you don't need that level of security you can use this tool:
http://www.javascriptkit.com/epassword/index.htm
That would generate an encrypted password checker which would work to protect your page.
You could do an AJAX request to check if the password is right, then when the AJAX response finishes, call a callback that shows the div where the page is.

"Was this helpful?" button

I'm wanting to create a "Was this helpful?" button, just with the options Yes/No. I don't have a database ready to receive the input, so, I'd just like each button to simply send an email to me if it was clicked. Maybe the email could just say, "a site user found this page helpful/unhelpful: [URL]".
I've coded email feedback forms in PHP before but can't think of where I'd start with this. I'm not sure if an email can be sent with just one click of a javascript button. Does anyone see this as a possibility?
You could use a library such as jquery to do an ajax post to a proxy PHP script:
$.post("/likedthis.php", { 'page': window.location.href},
function(data) {
// Deal with the post results here if you want
alert("Data Loaded: " + data);
});
Though one issue you will run into is people refreshing and clicking multiple times, potentially spamming you with email. A good basic protection against this is to set a $_SESSION variable or cookie with their IP address, and the page, so they can't keep clicking again and again.
Please note however that they can simply use another IP address, or say another page is helpful. However that would be a lot of work just for that.
Also for sanity purposes it would be a good idea to also check the page variable against parse_url() to be safe.
You cannot directly send an email through JavaScript. Here's one way you could do it:
Using JavaScript, add a click event listener to the button, which, when fired:
Disables the button, then
Sends an ajax request to the server, instructing the server to send the email
Using a cross-browser library will make writing the JS part of this simpler:
What cross-browser JavaScript libraries exist?
You wouldn't want to send an email in Javascript, even if you could. You'd need access to an SMTP server and you'd have to pass your credentials to that server. By using JS, your entire code will be client side and so your credentials would be easily obtainable. Are you able to use a server-side language?

header(Location:) via AJAX not redirecting

First off, let me say that I know this does not seem like an uncommon issue. I do not intend to clutter these forums with questions that have already been answered, but, I have worked through probably about 3 dozen threads with similar issues and have been unable to reach a solution.
The short description of my issue is this: I am trying to redirect after submitting a form using php's header(location:) function, and it's not redirecting. It is a little bit complicated because the form is submitted via AJAX. The steps my code goes through are as follows:
User submits form > form data sent via AJAX > form processing page validates data > if valid, form processing page inserts data into database > if submission is successful, form processing page adds redirect URL to $_SESSION > form processing page returns a 'redirect' variable > javascript/AJAX checks for redirect variable, and refreshes page if found > page header checks $_SESSION for redirect URL, and if found, sets appropriate headers and exits.
I guess the first thing I want to ask is, is this the right way of going about this? It seems to me that there should be a simpler way of doing this. It's obviously much simpler to pass the redirect URL to the javascript and do a window.location redirect, but I read that it's much better/more secure to handle that on the server side, so I'm trying to do that.
Assuming I'm going about this in the right direction, what could be going wrong here? I've checked for leading and trailing whitespace, BOM characters, I've even tried output buffering and I still have the same issue.
What happens on form submission is, the page refreshes, but it returns to the original form page rather than the redirect url. I have turned on the most detailed error reporting and get no errors at all.
One thing that may or may not be of interest, I have an error_log function set up to log all headers to a file right after I set the Location: header. When I redirect outside of AJAX (which works), the accept: header is set to html, but when I try to do it via AJAX, the accept header is set to JSON. Could that cause a problem?
Thank you so much for taking the time, and again, apologies if this is a dumb question. I have used this forum for years and have never once had to post a question on it because it has always solved my problems until now. Thanks in advance!
PHP is too generous to include in your code not only HTML code, but also JavaScript code. I'll explain one thing. When you send data by ajax, it is often difficult return Boolean data (whether true or false, depending on the conditions we work side server with php in some file established in our direction ajax) to give a final answer.
On the other hand, returning to the generosity of PHP, always when we try to validate data server-side and through ajax, we can manipulate the section where work freely to show some response message, a redirect to somewhere on your page or create a session. Anyway, whatever.
What I mean is that in your controller section where you will work with AJAX, you can set different conditions. That is, if the user data are correct, then you could send to call a script from Javascript to redirect him with a location.reload (); and also assign a session automatically. If the user does not have the correct data, then what we should do is return a warning message or alert to the exit AJAX, usually it goes after a:
function (response) {
$ ('.answer').html(response);
}
Note that it is not necessary require, for example, a $ ('.answer').html(response); to return an answer, because ajax only sends data to the server and if there is a reply message well, and if not well. Many times what I do, is to send messages via console, although it is often convenient to do so, because as often work with several conditions and that depends on the result of our request, we will be forced to show some response in some element within our code.
What I advise you is that you work javascript in PHP, and hence redirect to other pages, assign sessions or simply return a message. Remember that an ajax request is not only asynchronous, but repetitive and can send it to call as often as you need. The fact that you sent your ajax call php file and you have returned an answer, does not mean you can go back to work with it once you finish your ajax request.
It is the right way to do what you want, it is often easier to manipulate our server-side code that client side. Greetings.

Categories

Resources