I have a static website without any server side languages.
Is it possible to pass some custom values whenever a user tries to login then get the data back when the user successfully signed in and comes back to my website from facebook?
I've read about signed_request, but that requires PHP.
You're essentially asking if Facebook will store data for you.
Unfortunately, the answer is no. You need some kind of mechanism on your server that can match a Facebook user to the data you need stored.
You could use local storage, but that's obviously local to the browser and prone to tampering.
Related
I have a form that via AJAX validates login credentials from an external php script and database. I am attempting to password protect pages of a Squarespace website.
I am wondering if there is a way to securely store some kind of token returned when the user logs in using the login form that can be checked on each page the user attempts to access and redirects them or allows the to stay on the page based on if they successfully logged in.
I have looked into using cookies, web storage/local storage, window.name and several other methods that other people have used but none actually seem secure and I am not able to use php.
Is there a secure way to do this?
Well, it depends on what you mean by "Secure." By default, for example, PHP's built in Session feature will use either a query string or cookies. The same is true for ASP.NET's Session feature. These are used on millions of websites and I'd say it is secure. The question is, what are you storing in the cookie? If you set a cookie like "IsLoggedIn" with a value of 1, that's not secure. However, if you do like PHP/ASP.NET do and store some random string (ideally a cryptographically secure random string) which is validated server side to a list of logged in random strings, you're good.
But that begs the question, why aren't you just using PHP sessions to store this information? See http://php.net/manual/en/features.sessions.php Then you'd store the IsLoggedIn in the session object which is stored server side, not client side, and you're secure.
I'm a bit confused. I am trying to provide a simple Google Authentication sign-on.
I would like to use Google's recommended method using the client-side flow: https://developers.google.com/+/web/signin/add-button
If I use this method, how will I keep a user logged in as they move from page to page. I know I can't create PHP session via Javascript.
How can I use the client-side flow and keep a user signed in. I am using PHP on my server.
After spending a few weeks researching, I now understand that I cannot just set a php session variable and stop using oAuth2. I realize that everything I need to get information from Google, I must prove that I have still authenticated that user.
Also, I have come to understand that unless you force prompt, Google will not resend a refresh-token. To provide the best user experience, you must capture the token at first login and then re-use the token to make calls without having to force prompt. This token must be stored in a secured location such as a database for each user.
I want to use Facebook's log in, and then I need to display some data related to the user, which is in my databases.
The problem is that I have several pages, and I don't want all pages to load the data using Ajax, rather I want them to be created by JSP based on the user id from the first time the user logged in. The problem is how to set the user id parameter in the server side, and keep it safe?
JavaScript can't set the session, and it is very annoying and have poor performance to load the page and then wait for the id from the Facebook session just to send it to server and process it --> send data back. This is good behavior for the first time user logged in only.
I am using Jaxcent as the framework for Ajax which is based on servlets. For some reason, I can't get to work with the session object there which only works with forms inputs. And when I tried to put a hidden filed in, it is not getting into the session, only if I type the value myself.
How do I solve this issue?
I thought about a table in the database which I could quote the session id, and userid from, but then again I have the session id in JSP but the userid in JavaScript, I can't find a way to combine them.
You could create a page that you would pass the user id (when you get it from facebook) and that page would store a cookie on the client, with the necessary redirecting of course.
You might be able to do that with AJAX to get rid of the redirection.
Just set a cookie from your JavaScript code, and read that on the server. Note that you should include the full signed request if you need definitive values, as opposed to the user being able to modify them.
I am creating a chrome extension, rather a chrome webapp. This application just contains the html, js, image and css files. The application connects to a server to fetch data. I chose to do this as it would reduce the amount of files downloaded by the user. Using Backbone.js I have an MVC architecture in my application. Thus the application just sends json.
Now having said this, I need a session management. I plan to use Google authentication as the organization has Google Apps. I need a method that once the user has logged in using google auth the server get the user name every time the application makes a request.
Is it a good idea to add the user name in request header, if possible. Or should I use cookies? Can any one tell me how I could go about using cookies in this case?
This might be a late response but I want to present a more elegant solution to you given that the user has cookies enabled in their browser.
First read my answer on another question.
Now that you can send cross origin xhr from your content scripts all you need to do is store all your authentication and session management at server only. That is right, you just need to display whether the user is logged in or not and a logout button at client based on server response.
Just follow these steps.
At client Whenever user accesses your chrome web app, blindly make XmlHttpRequests to your server without worrying about authentication, just keep a tab on response from server which I describe below.
At server whenever you receive a request check for valid sessions or session cookie. If session is valid send proper response, if not send error, 401 or any other response to communicate to your client that session is not valid. It is better if you send an error code like 401 since then you can put a generic script at client to inform them that they are not logged in.
At Client If response from server is proper, display it, else display login link to your website.
IMPORTANT: Display logout button if user is logged in.
Check out my implementation of this in my extension
For help using Google authentication in your app take a look at Google's OAuth tutorial which comes with all you need (took me no time to set it up using this).
As for session management. The implementation of OAuth used by Google stores the tokens in localStorage. Also, as briefly mentioned in the extensions overview we are expected to use localStorage to store data. Thus, I suggest you store the users name here as it will be accessible throughout the app's lifetime (until it is uninstalled). However, you may need to manage the name stored here and consider what should happen when users log in and out. That said; I'm not sure if sessionStorage would be a better option as I've never used it before, let alone in an extension.
Note
localStorage and its counterparts only store strings so I suggest using a wrapper which uses JSON to parse and stringify to get and set your values respectively.
I just want to know can I create registration page with using javascript in html page and store all details to the client-side cookie session or I should have a database to store all information there?
Any help would be appreciated
This has to be server side, in a database. Why would you want to store this on users computers? What would happen if they moved to a different computer or deleted their temporary internet files? You'd cause problems.
Hi there, I just want to know can I create registration page with using javascript in html page and store all details to the client-side cookie session
You could, but then the user would be registering with their browser rather then with your website, which doesn't appear to make sense.
should have a database to store all information there?
Having a server side system which stores information in a database is the standard approach.
If you want to persist your user information and if you want your user be able to login to your application from anywhere, then you should use a server side database and store your registration information.
Yes, you could do that, but it would not provide any kind of security. It would also mean that you lose out on the ability to keep track of your users, unless the cookie is read by the server. Finally, your user's registration would only be valid on their computer, again unless there is a way for them to retrieve their information from the server (which means the server will need to have it).
If it's a HTML5 app you could use the localStorage and sessionStorage Objects to store your info however if the items you are collecting are security sensitive I'd send the info to a database or a protected file on the server. Leaving sensitive info in a cookie isn't wise.
If you're working with passwords, get that stuff into a database and encrypted/salted!