Ways to keep user input data after session expiry on a webpage - javascript

Some pages remember input via Back/Forward. So you can copy your stuff. I imagine thats tricky.
I don't know any coding languages so as an outsider:
Isn't it easier to just trigger a login popup on top of whatever you are doing when your sessions has expired and you use an action that requires you be logged in?
I need to know if thats hard or the guy who's doing my webpage is bullshitting me for cash.
(obviously don't get into any pop-up blocking cases - assume popups are allowed.)
To clarify:
If we make a cookie that effectively re-logs you every time your session expires, we might as well make sessions never expire. The point is to - every now and then ask the user for credentials without wasting their current page input. Thats why I asked if instead of redirecting the user to login or disabling the page, can't we just trigger a login inside a new pop up? I haven't seen it done very often on the web thats why I asked if its complicated.

There are several ways to go about doing this. As far as coding ability personally I wouldn't say it's difficult enough to charge you an arm and a leg, but the complexity does depend on the language, the organization of the site, and along with those things, it's completely relative depending on who you've hired.
I guess to give you an example of storing information locally when a user visits a website using javascript you can do the following:
// Store
localStorage.setItem("lastname", "Smith");
// Retrieve
document.getElementById("result").innerHTML = localStorage.getItem("lastname");
for a more in depth look at that example you can check out http://www.w3schools.com/html/html5_webstorage.asp

Probably, your problem can be solved very easily with the use of cookies in you page. Setting cookie will let the user logged in for the specific time as specified by the programmer.
If you are sure you just want some action to do if login session expired, then you need not to let the user perform some other action. Just store the relevant information in cookies instead of Session and user will be logged in.
Ask the person you hired for making the use of cookie.
For more details on how to work with and about cookies, visit this link

Related

CodeIgniter protect sensitive data in HTML when user leaves browser open

I have a problem and after some research online was unable to find other people with this same issue.
I'm designing a site that has sensitive data the user's work with in the page content. It uses CodeIgniter as well as CodeIgniter's session and cookie implementations to track user activity and determine when a session has expired. when sessions expire, the user has to log in again either through a sign-in portal or through a sign-in popup.
My issue is if someones working on their computer then just gets up and walks away from the browser, the session expires, but they didn't realize the session would expire then return to their computer to finish their work. There is a regular ajax call that checks if the user has been inactive, and if the time threshold is reached their session data will be erased and the session is no longer active. There is then a popup window prompting the user to sign in again if they want to keep working.
The problem is, how do I protect any sensitive data in the HTML in the meantime? You might think if the session expires just redirect the user away from the page, but if they're in the middle of something I don't want to erase all of their work. I could try just hiding the HTML using javascript, but then someone could just open the inspector to see the HTML. is there some way I could prevent anyone from seeing the page data at all unless the sign in a popup is completed?
Thanks for any input.
I don't know of anyway to protect their work like you're asking.
I'd suggest saving the users work in a draft format, as they enter it. Then if they walk away and get logged out it doesn't matter, the work is still there when they log on next.

Prevent user created pages from stealing login cookies

I have a webpage, let's say that the page is called: http://www.mypage.this/
In my page users can create their own HTML pages and access them through www . mypage . this / (creator's_username) / (project_name) . For instance, if my username is "USR" and my project is called "PROJECT" then the link is http://www.mypage.this/USR/PROJECT .
But there's a security problem...
I store people's login tokens as cookies. And what if some user's script has a function which reads the cookie and sends it to someone else?
They can get access to someone else's account. The token has to be saved as a cookie, because I need to verify the user in multiple pages. What should I do to prevent the user created scripts reading the tokens, yet still allow my pages to read the token?
Thank you in advance
*The tokens are of course regenerated every once in a while
To clear misunderstanding, I am NOT storing passwords in the user's side. I am storing a login cookie - a randomly generated string, re-generated on every login. And I store that on the user's side.
If you have to verify users in multiple pages, you should store login information in the session, not in the cookies. This way everything stays on your server, and only you can access it.
Cookies are made so that you can store information even when the user disconnect, leave the browser or anything else.
Storing login information in cookies is generally a bad idea, as it's not really secure.
Oooh. You really don't want your users to be able to create pages that run scripts in other browsers. That creates a risk of cross site scripting vulnerabilities (like that one you've mentioned here). Your safest bet is to start with blocking all SCRIPT tags. Then there are probably other things to block as well. This is something worth spending time reading about:
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

How can I 'lock' a page behind a log-in screen in jQuery/Bootstrap/JS?

I've been building a web app using Google's Firebase as a backend (for those who don't know, it's a Realtime database; any changes in data are reflected instantly and updated), there's other people working on the Android app with it so there's no other option (plus it's kinda cool). I was surprised that I have yet to write a single line of php or any server-side code. Anyway, jQuery is working perfectly fine for login and stuff.
Now I'm going to be making an admin page (with a separate login from the main users login). It'll be accessed in a completely separate way (by opening something like /admin.html). So the login can't be put on a separate page so people don't 'accidentally' access the admin panel by writing /admin.html in the address bar.
So I want to stop the admin page from completely loading until I've received confirmation from Firebase that the credentials are correct. So how can I achieve this knowing that both the login and the whole admin page needs to be in the same file. I'm positive this can be achieved with simple jQuery + Bootstrap but I'm not really sure how. Can anyone please point me in the right direction. Thanks in advance!
I have googled it of course but maybe my wording is off? :P
If I'm understanding your question correctly, your problem is that you need to create two separate views in a single file, and redirect to one or to another depending on your user "session", however, as all your code is in client, you don't have a "session" system operative.
Ok, there are several options you can take. I like the idea of using LocalStorage to store the user session.
When /admin.html is requested, your code checks for a valid session object (keep in mind that you'll need to define that session object) in the LocalStorage. If there is a valid object, you render the admin area, if there isn't any, you render the login area.
When someone sends username/pass to the database and you receive a valid response, you create a session object, store it in the LocalStorage and reload the page.
Keep in mind that you'll need to create a mechanism to make sessions die and a log off view.
For the dying sessions, as an idea, you can store the creation time and a expiration time in the session object. Each time a "session protected" page is served, when you check that the session object exist, you update it's expiration date a fixed amount (20 minutes plus current time, for example).
So, when you check if exists a valid session, you also check that it's expiration date has not due, and if it's, you delete the object.

Store if user has pressed button at any point before

I am making an image gallery, and I wish to have a vote up button people can press to increment the number of votes an image has received. Obviously I don't want people spamming the vote up button, so I want to limit each user to 1 vote up.
I do not have access to any kind of database (except writing to files), and a login system would not be good for my target audience.
What is the best way to store whether a user has visited the page before? Would it be better to use PHP or JavaScript or something else for this?
Without an authentication system, you can limit the action of a user temporarily, but the user can trick your system to vote multiple times.
Here are solutions not using a login/auth system (and their drawbacks) :
You can store the upvote action client-side with cookies, localstorage or any other mean, but the user can clear all off that to regain the right to vote again. For most people it can be ok (depends on your audience), but any techy guy wanting to cheat the system will be able to do it.
You can store the update action server-side with a reference such as the user-agent or the IP adress. But these "authentication" system are not reliable : user can share the same user-agent and change them easily. Several user can share the same IP adress and use proxy to change their IP adress.
The third solution is to use an external system : a facebook +1 voting system (facebook uses its own auth system) or google+ or other external services. User won't be able to trick the system, but you don't own the upvote count on you side and someone without a facebook or google+ account will not be able to vote.
Personally I would go and find myself a database... but if you don’t want to use one, you can still write to a file. For example: Create an array and store the IP address of the user in it. Than write this array as JSON code to a file (json_encode) and store it. When a user clicks the like button, read the file, decode the json (json_decode) and check if the IP address exists in the file. If not: add to array and store to the file. The amount of likes, is equal to the amount of IP addresses in the JSON object.
The best way to implement this, is to make an ajax call when the like button is pressed. Than the visitor won’t see a page load.
Note: Technically you can set a cookie, to "remember" that the user already clicked the button. That would save you some reading of the file in which the likes are stored.

is it possible to run javascript one time only?

Hello I'm looking for one time clicking solution , i want javascript to load only one time in life for every member of my website
when member of my website will interact with javascript for example by clicking yes or no in browser i want this script not to load again in his browser
This is something that's best to do on the server side. For example, if you have a database field for users that is something like "Last Login" and you only load the script if that value is null.
It depends on the info you have on your users. This is not advisable to solve in js.
I would use cookies, however clunky that may seem. Create a cookie when he presses the button in the form and just test for that cookie when he visits each page. Do remember that people with cookies turned off will keep receiving it though.
You can use cookies or local/session Storage for this...something along these lines
if(!localStorage.getItem('isNewUser')) {
localStorage.setItem('isNewUser', false);
alert('new user');
//insert whatever you want to do the first time a user visits your page
}
There is no reliable way to do what you are asking. How are you going to uniquely identify your users? What's gonna happen if your users access the page from within another browser, another IP etc.?
The only somewhat reliable way of doing it is through a registration system which would require your users to log in before using your one-time functionality. Once they log in the functionality (button) should only be available through a server-side request or an asynchronous (ajax) request through JavaScript.
Even then its usually a lost battle to prevent people from creating multiple accounts etc.

Categories

Resources