How do I save html registration form data into a JSON file then log in based on it, without using any server side scripting languages? I want to use only Javascript and jQuery.
HTML file "simple form" contains:
First Name, Middle Name, Last Name, User Name, Password, Confirm Password, E-Mail, Phone
When a user enters his data and clicks the register button, his data will be saved in a JSON file on the server. I have created this JSON file on the server as:
C:\inetpub\wwwroot\usersData.txt
And based on this file usersData.txt, when another user wants to register, I need to check the that user name is unique, if it is a unique user name, save his data back to the JSON file.
I also need to know how to update the password in the JSON file when I use a hypothetical change_password() JS function.
Under normal circumstances, you should not be able to modify files on the server from client side scripting. Allowing that would let a malicious user put anything into that file, or, depending on configuration, any other file the server can access.
Doing only authentication client side is also problematic. If the client can download the userData.txt, the malicious user would know every user's email, password and phone number; using the email and password he could probably login to the user's email account, and another bad stuff can happen, so please don't do it!
So, there's no way to properly do it clientside...
I think you would be better served by not bothering to collect the data -- client-side authentication can never be trusted. Don't try to build a system that pretends to be safe. Instead, make the insecurity very obvious: store the username in a cookie and let any user type any username into whatever field sets the username cookie. (The cookie is just so they don't have to re-type it all the time.)
If you don't care about security be upfront and honest about it.
If you plan to do authentication on the server side, which you really really really should, you have to have something listening on the server, either your code or delegate the authentication to some other system. There's no way to magically update a file on the server from javascript running in the browser.
Related
I am currently studying web development at college and part of my course is to create a website for a mobile company that sells phones and they sell them online.
I'm trying to create a login and signup form but currently struggling to get my form to identify and use the email that the user inputs to send an email to them verifying that they have submitted is it possible and if so any help would be appreciated.
What I will suggest is in your server backend, whether it be PHP, NodeJS, etc
that you register the user in your database and have a boolean value named
'validated' true|false
set default to false, also generate a unique hash and assign it to that user under something like
'validate_hash':gnOOBhgenl2g432noug24g42
Use whatever function your backend server provides (or a library) to generate a unique has, and save this to the newly registered user
Then use a mail function to email the user with a link that will 'verify' them, by adding the unique has to a post url like this:
example.com/register/verify?hash=gnOOBhgenl2g432noug24g42&email=example#mail.com
Obviously you will have to create a script at that location and handles the link and checks the hash value given against the mail provided in the database
If the hash value matches, you can update the users status to
'verified'true
And they can now access services normally.
Majority of this wont need fancy outside libs or complicated coding, just follow what I suggested and google the things I mentioned if you need to figure out a particular element, or comment/msg me!
I have been working on a library which enable a website to add a comment section to their website.
The idea was to keep it as lightweight as possible thus I preferred to use JSON for basic data storage like comment's message, website and username. All of these data is public and can be access directly via JSON. I don't mind this since comments are going to get display publicly anyway.
However, the problem arises when I want a user to be notified when someone replies to their comment. Email is there in input field but I don't want it to be stored in the public JSON file. Is there any other server side data storage schema where I can store the email privately and at the same time use those emails from server side scripts to send email?
MySQL and others will make the library clunky, so that's out of the list.
Or even beside these conditions is there any other possible way to do this?
What you need is APIs and not a data source. A data source is a truth where all data lives. Like in your example, if you have email in your data, it will always be there. Unless you keep email field separately.
The way is to create api that will output required data from JSON files (or database). You can choose to hide the data that you don't want to show.
This way, you only expose the api, instead of the file name directly, which has risks of being modified or altered or hacked very easily.
Other way without using API is to have multiple JSON files.
One file will have basic data, and other will have confidential data, along with a foreign key like unique key that'd map the confidential or other data with the main record.
Example:
Comments.json:
{
"comments": [{userId: 1, ...},{...}]
}
CommentDetails.json
{...}
Users:
[
1: {"username": "", "email": "asdas#asdas.com",...}
]
You can use a database like MongoDB, that stores JSON documents, to keep the data of users and comments.
Then, the users collection will not be sent completely to the user, filterint the emails and other sensitive data.
Create a second JSON file, or CSV file for that matter, which is kept private, that maps users to their emailIDs.
Interesting project you are attempting, btw. Good luck!! :)
Why not just use a .htaccess in a directory where the data is stored and use something like "Deny from All"?
Your scripts could access then, but no user's browser.
Assuming there will be a mail server involved, can you host a web service with two endpoints?
Endpoints:
sends emails; takes an sender guid instead of an email address
stores an email; takes an email address and returns a sender guid
This web service could then be used by your library from any www accessible server. At the web service host the emails could be stored in the format of your choice. You will also want to secure you web service to prevent others from triggering mail notifications.
I'm trying to improve my jQuery skills developing a litte website containing a login system.
I'm looking for the best practise and most secure login system.
So far
I had a login.html having a <form action="login.pl">.
On my login.pl I'm connecting to my database and if the user is valid I print a http-redirect to home.html adding my params (?param1=val1¶m2=val2).
Now I took a different way (at least for me a better looking way).
I have a login.html doing an $.ajax request before submit.
The ajax request calls my login.plwhich is returning an json-sting containing a status.
If the json-sting status is success, I return true which results submitting the form <form method="POST" action="home.html">
Now I'm having a few questions:
My form POSTs the password to my home.html.
I believe I have to replace the password value and add some kind of session value to the form to be able to check later if the user session is valid or not. Do I?
How is this done on a professional security level?
I can't access the form data in my home.html as long as I use POST. I try to avoid using GET because professional websites don't have those ugly urls.
How am I supposed to transport username + session id? Do I have to use cookies here?
I didn't really worked with cookies so far, but since user can read cookies, I still won't add any real passwords here and replace password with a session id.
For my understandings: These security requirements won't change even with https. HTTPS provides a secure connection but I still won't save or store any real passwords anywhere on the client.
I have my website which has this issue. It could be hacked easily through javascript.If the hacker types this in his console he can easily add a user in my database and can signup without going through the stuff like checking password length , checking username length and so on ...
$.post("extra/includes/signup/register.inc2.php",{username:"user1234",email:"email#live.com",p:"here goes password"})
I want a code that could stop him from using console in my website. And if there is no way to do that then how to fix it by some other means ?
Disabling the console won't do. A hacker can always do the same request to your server as you do.
If it is something that isn't public you can protect it using a username and password, looking at the url it is a public script.
If you require a public register script the best way to protect against this kind of thing is to us a captcha (for example recaptcha. It makes it a lot harder to do a scripted attack on your register script.
Always validate the data server side, you can not trust the data you receive from your request because it can be easely manipulated.
You should not rely on client side form validations and it is total bad practice.Try to adapt framework like CI or Laravel . They have particular set of easy ways to validate the form inputs .
I'm using the PHP 5.5+ password_hash() function to hash my passwords before storage in the database. So far so good.
What I am a bit uncertain of is the need of pre-hashing the password that it sent from the form to my PHP script.
Now the form submit procedure is (in short terms) done like this:
HTML file which contains the form calls the controller script in form method=".." ->
Controller script recieves the call and picks the correct function ->
function execution and storage to database.
So basically the call is sent through three files from submit to storage.
I am thinking that somewhere along the line the data could be hijacked and seen in plain view since the hashing is done in the third and final file.
Should I be worried and somehow hash the password with some JavaScript during the initial submission of the form or is it safe? The final site will most likely use an SSL certificate but still I'm not 100% sure if I am safe or not.
Your concerns about hijacking the password between controllers are superfluous :
For an attacker to hijack the password while it's passed between different controllers it would mean the attacker has to be able to read the memory of the PHP process, which would require root privileges. If the attacker has root privileges, you have a bigger problem and your solution won't save you because that same attacker can also modify the PHP files to remove your "protection".
As for hijacking the password while it's flying through the Internet, the only solution is to use HTTPS - whatever Javascript cryptography/hashing you would do is pointless since an eavesdropper is also able to alter the page while it's being transmitted and serve a modified version of it without the additional "security" you added; there are many questions about trying to secure a login form without HTTPS on Security.SE, check them out :
https://security.stackexchange.com/questions/73917/techniques-to-make-a-login-page-safe-without-using-ssl
https://security.stackexchange.com/questions/37655/build-a-secure-channel-without-ssl-tls
https://security.stackexchange.com/questions/41845/login-security-without-ssl
https://security.stackexchange.com/questions/8924/what-is-the-best-way-of-securing-a-website-logon-without-ssl-or-preshared-keys