Let me explain my situation
I have a website that is connected with mysql to verify login credentials so the user can login to his profile page. I have read about HTML 5 App cache and it suits me,but how can i force App cache to cache files for offline use after the login verification?
I know that i can store (username and password) in javascript but this is wrong because anyone can see the username and password after.
So to summarise, is it possible my Website to be stored offline with app cache but after the login page?
App Cache (or manifest) is a list of files you want to make available for offline. It usually isn't related to being logged in or not.
I suppose, there's nothing to stop you dynamically generating the file after the user is logged in, with all files related to that user. For example, if you have a website where a user uploads art, you could generate a manifest for their collection.
However, when you change the manifest file, the browser will try to redownload everything which may not be the desired effect.
For logins, store a randomly generated cookie.
Related
I am currently evaluating the security risks for an electron app I am working on, with regards to whether it is possible to copy a file, or bunch of files stored on the user’s hard drive by electron, and just paste them into another installation on another machine and thus automatically be logged into the application using the session of the user who was logged in on the first machine. We use token auth in our app.
I noticed that electron stores its cache in a particular folder as mentioned here How to clear the cache data in Electron(atom shell)?.
Among those files I noticed a 'Cookies' file which seems to be an sqliteDB. When you open this with an sqlite db reader you can view the cookie data as plain text. However this doesn’t seem to contain the auth cookie of the currently logged in user.
Hence some of the questions I’m hoping to get answers to are:
When we log a user in the user’s auth token is stored in a cookie. Is this cookie stored in a particular file on the hard drive by electron which can be copied into another machine to spoof/hijack a user’s session?
If the answer to question 1 is yes is there a way to prevent this?
I am not a pro on security, so forgive me if I've gotten some security terminology wrong.
I have been building a mobile-web-app in HTML5/JQuery and as part of this app I need to require users to log in to Moodle on the app.
Unfortunately I have no idea how to do this.
I'm not sure if I can create a log in form on my App that will check User details with moodle, or if I need to redirect to moodle and get a response from there.
There are a lot of vague, confusing questions about this, so I'm going to be as clear as I can about what the app should do.
user opens App A
App A asks the user to use their moodle details to log in
Moodle tells App if log in was successful
App A either displays an error, or allows user access to the app.
If somebody could help me out here I would really appreciate it.
You can use moodle auth plugins for enabling SSO.
If you are hosting moodle on the same domain, cookies can be shared between App A and moodle and you can use the shared cookies while validating in moodle auth plugin.
And if domains are different, you would need to pass cookie (e.g. sess_uuid) in query parameter and grep it in your auth plugin and use it to validate against App A database (may be using REST call) and if cookies is valid, you can lookup for the user (identified by details provided in cookie validation call) in moodle. If user exists in moodle, you just need to set the global variable $user in the plugin and if user is not present in moodle, depending on you requirement, you can either create new user or do not set user in the plugin which would eventually cause login error.
I am developing a chrome application for storing encrypted user files. It uses Dropbox as a backend cloud storage file system. For simplicity the user logs in to the app using OAuth2 protocol of Dropbox API. Now for logging out the user I used the /disable_access_token as mentioned on the API page. This revokes the access_token but does not completely logs out the user because the next time I launch the app and click on login the app does not prompts for user credentials hence automatically logging in the previous/same user again.
Same question was asked at this link: Deauthentication through Dropbox JSON API (webhooks) but I did not get a satisfactory working answer over there and because of low reputation points currently could not even comment there.
EDIT: I tried removing all cookies set from the domains of dropbox.com as well.
I am working on internal website, which is used only within the company. The requirement for one of its pages is to log-in to our vendor sites (which are all on different domains).
For this I open these vendor sites within an iframe of the internal website.
Say,
Internal site: us.com
Vendor sites: foo.com, bar.com
On us.com/openvendor , there are two options: foo and bar. When a user clicks on foo, the iframe within the page opens foo.com in signed in state.
To achieve this, I replicate the login form of foo.com and post all the required parameters like username, password etc. to foo.com's page. I have all the usernames and passwords of different vendors stored in database.
Why do I do this? Because we don't want the users of this site(mostly our CRM team) to know the passwords (lest they use it to do unwanted and untracked transactions) and the activities done through us.com is recorded and saved.
So essentially, we enable users to login to any vendor site, just by clicking on a link.
This was working perfectly fine until one day, when I had to add a new vendor site which doesn't post an html form for authentication. This site (say whattodo.com) makes an ajax call to a url with login credentials, which returns back an authentication cookie. This cookie is then set by the site to make the user logged in.
Now how can I make my end users login to whattodo.com on a click?
I cannot make the ajax call to whattodo.com
Even if I overcome the above problem by storing the auth cookie value in my database and updating it monthly(ya that's when the cookie expires), I cannot set this cookie under whattodo.com domain in the user's browsers.
Please suggest a possible solution.
And please feel free to edit the title. I'm sure there's a better one to summarize the question.
I have an HTML5 app which is capable of running offline. However, I need to password protect the directory this app resides in to only allow access to authorized users. Initially I was using a PHP login page which set a cookie (outside of the app directory) then redirected to the app directory. The app (JavaScript) checks for the cookie and if it's there it lets the user run the app. If not, it redirects them back out of the app directory.
The problem with this method is that all of the files in the directory are still accessible if referenced directly (which I don't want). I do not want users to have to authenticate every time they hit the directory (it's a one-time authentication process; the cookie is there so that they never have to type their username/password again), and I also want to have a stylized login form (i.e. not using the default browser login box for http authentication).
Finally, because this is an offline HTML5 app, I can't include any PHP code in the app itself.
Any suggestions?
That doesn't sound like something you could do from Javascript. The script would need access to the file system to be able to restrict access to the folder, wouldn't it?
Unless this feature is exposed by the browser via a javascript API, I don't think it will be possible. It sounds like it would be a useful feature though.
Perhaps you could encrypt vital data, but apart from slowing down the application, I'm not sure what good it would do, since all the necessary keys would have to be stored locally as well...
Since the general rule of security on the web is that you can never ever rely on anything that happens client-side (e.g. in Javascript) without a double check on the server-side, this will of course pose a problem when the app is running offline and the server-side is not available :(
Looking at the "make Javascript redirect if the cookie exists" problem, unless I'm mistaken, it would be trivial for a malicious user to edit the Javascript, using for example Firebug, to redirect in any case.
EDIT: By the way, what level of security are you looking for? The "mom won't be able to accidentally access my account"-level (which it sounds like you already achieved), or the "no one, except maybe the NSA, should be able to hack it"-level?