#1 2016-05-30 21:17:57

MarcelD
Member
Registered: 2016-05-30
Posts: 2

Web application protection

Hello,
I would like to know how other members here are dealing with web application protection.
I am developing a small web application with App Builder.
I need to have a login screen where users will enter their user names and passwords.
Validation process is handled by a web service.
From App Bulder I need to set a global variable ( like a session variable).

SetVar "[MyResponse]" "[NewClient.Response]" "String"

If "[MyResponse]" "==" "NotGood"
  SetVar "[AppMessage.Text]" "Connection refused. Please check your login and password" "String"
Else
  SetVar "[App.Mysession]" "Connected" "String"

Later on the next page I need to check the App.Mysesion to make sure the user is connected.

I am not sure this is the best way with App Builder, it does not work.

Could you please suggest an elegant solution ?

Thank you for your help.

Marcel

Offline

#2 2016-05-30 21:37:28

David
Admin
From: Alcobendas, Madrid, Spain
Registered: 2015-04-21
Posts: 1,657
Website

Re: Web application protection

Hello Marcel,

Thanks for your interest in my work at App Builder. What we need to consider in the first place, is we are dealing with client side applications. Then, except in some platforms (and after obfuscate the code when possible) our app code is visible to everyone and everyone can change it with malicious intentions.

So any kind of authentication must be made in the server part, if the application requires it. For example, if your application deal with certain database, and you need to performs HTTP calls to communicate with such database, provide in the HTTP call the user name and password provided by the user.

Then the server check the user name and password and never provide information access to unauthenticated users.

Taking this in consideration, depend on the platform, and the application itself, we can try with one or another approach.

Offline

#3 2016-05-30 22:19:27

svanneste
Member
From: Paris, France
Registered: 2015-05-27
Posts: 155

Re: Web application protection

+1 for David's point of view : sessions must be managed on the server part. Even the login and password should be only sent in hash mode (so nobody, even the "man in the middle" could see the real login and the real password. This works only if the login and passwords are created from your app of course).
What you can store locally is a "some sort" token sent by the server to your app when the session is created so you could have a double check verification (for more security).
And do not hesitate to work directly with David has he suggested because David has a lot of valuable knowledge, really smile

Offline

#4 2016-05-30 22:29:59

David
Admin
From: Alcobendas, Madrid, Spain
Registered: 2015-04-21
Posts: 1,657
Website

Re: Web application protection

Hello,

Thanks Samuel! You are very kind. smile

Offline

#5 2016-05-30 23:12:29

MarcelD
Member
Registered: 2016-05-30
Posts: 2

Re: Web application protection

Thank you David and Samuel,
I Think I did not express myself correctly. Sorry for that.
My App Builder application is connecting to a Remote web application made with GO.
So all database stuff are done on the server side.
This is my concern:
I need to have a protected area on my website, so only people you login  could see that page.
If some one ask for that page I should be able to check if he is a registered user prior to let him continue.
I was under the impression that using global variable on the login page could allow me to achieve this task.
Am I wrong ?
Is App builder the right tool for that ?

Thank you so much for your prompt reply.

Marcel

Offline

#6 2016-05-30 23:16:27

David
Admin
From: Alcobendas, Madrid, Spain
Registered: 2015-04-21
Posts: 1,657
Website

Re: Web application protection

Hello Marcel,

Of course you can use certain kind of password access to an application's view, however, you can't guarantee no body take the application's code and change their behaviour in order to access such application's view. This is not an App Builder problem, but, something that occur in any HTML5 client side application.

So you can do it, Marcel, and probably someone like my mom never discover how to change the app's code, etc., and therefore never enter in the "secret app's view". However anyone who really wanted it... and put certain efforts... probably can do it, and then your "secret app's view" can be viewed.

Offline

Board footer

Powered by FluxBB


Copyright ©2018 DecSoft. All rights reserved.