I have a website where logged in users can follow other users, each user is stored in a MySQL database, in this database there is a table that has each user session, when a user logs in, it generates a unique session ID for that device and stores it in the users browser as a cookie.
When a user clicks the HTML button on a webpage to follow another user, I want it to send a javascript XMLHttpRequest to this PHP file I'm making, however I'm not sure what kind of security measures to take, currently I require the ID of the user to follow/unfollow and the unique session id cookie value of the logged in user.
Basically, this "cookie"/session with the unique id, I want to know if it's good enough for doing ajax calls, it's kinda like a REST API, however, it can make changes to the database via PHP when the method is POST.
If you can think of any possible issues with this please let me know, I would sure appreciate it, and if anyone has any tips on making these kinds of Ajax API's please let me know.
Cheers!
While ajax request have session id, and user login in session, its secure to accept that request to make changes what regular user may do. Keep in mind all other security issues as for usual request or ajax, no matter, like changes to db, or other, so everything is limited to user functionality, then it secure.
Related
I am currently working on a browser extension that scrapes a website for any new messages and displays them. The way it works is that it sends an HTTP request to the server every 5 minutes and extracts any useful information from the response. The only issue is that after a certain period of time, the user gets logged out and an HTTP request needs to be sent to log the user back in. This requires the user's user ID and password. From searching on the web, I have come to realize that storing passwords locally is generally frowned upon as it is not very secure. But, I don't know what other option I have. So, my question is: What ways are there, if any, to do this?
From some searching, I came across this Credential Management API, but I'm not sure how I could use it in my extension. Any help would be greatly appreciated.
This question is a bit more about concepts.
So I have wildfly backend server which is paired with a MySQL 5.5 database that I created. I am trying to implement login - logout on my website. To login/signup and logout, I am using Google's oauth2 API: <div class="g-signin2" data-onsuccess="onSignIn"></div>
Once this occurs, I am sending the id_token (from Google) to my backend server (via websocket. Before I implemented the login/logout system, I used websockets for communication between my JavaScript and Wildfly server). The id_token is verified there, and then the user gets added to my MySQL database if he/she signed up at which point the database creates an id for the user. It returns this back to the JavaScript (via a secure websocket connection). If the user logged in, then (after id_token has been verified) his/her id is retrieved from the database and sent to my JavaScript.
Once this occurs, the user needs to have access to some protected pages that only logged in users can gain access to. My question is how can I do this (I am not asking for you to write code for me, but instead to point me in the right direction). At first I thought that in my navigation bar, I will add access to protected pages once the user has been logged in, but then un-signed in users can also access them.
Secondly, how can the user id be passed between the protected pages. For example, if a user clicks on page X and then page Y, how can page X's and page Y's JavaScript access the id. I thought a way to do it would be through storing the id sent from the server as localStorage or cookie, but according to this article, it is unsafe to store sensitive information as localStorage or Cookie. So how do I store this user id, so when the user goes to any protected page and does something that requires the website to communicate with the server/database, the id can be passed and appropriate changes can be made to the MySQL database for that id/user. (Another way of saying this is how can the id remain constant across all the protected pages for a particle user's session. If you look at the top of this website, it shows your profile picture with your reputation, and no matter where you go on the website, it remains there. So how did the developers of this website do this? Did they use sessopnStorage to store the user id so whenever you click on another protected page, the JavaScript of that page sends a request to the database to pull the profile picture and reputation of the user so it can then be displayed on the navigation bar? But then wouldn't this be a very inefficient solution?).
Thank you so much for the help and advice! I have never done this before and was wondering how to do this, so thank you so much for your help. I really appreciate it.
Is it because you have limited space to store session information of a logged in user or security concerns of allowing a user to be logged in for an extended time period, or probably a mix of both?
Is this done at the back-end or front-end?
Assuming it is a back-end requirement, I have seen lot of Javascript codes that creates a widget alerting the end user of a time-out. However I don't see how it can be really coherent with the server other than a guideline that says you haven't performed an Ajax operation for a certain amount of time and hence your session will be timed out without really checking back-end, because if you are checking back-end then you are actually extending you session.
Also in general, what is the criteria that extends the session of a logged in user? Does he have to fire an Ajax request to the back-end (assuming a SPA) or is it enough if he clicks on an input field? If so we do we keep a timer that gets cleared each time this happens? (Again not really coherent with the server but works practically). I know this is a broad question. Any pointers would be helpful.
[PS: If it is more about theory, I could just move to another site in the SO Network? I thought it is a relevant question for beginners.]
I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php
I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.
What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?
If you just want the user to visit page.php before using api.php, the session is the way to go.
Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.
Otherwise, there are lots of authentication plugins for php.
http://www.homeandlearn.co.uk/php/php14p1.html for example.
You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable
Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.
Beware that people can alter their REFERER so its not secure.
Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html
Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.
Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).
I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.
Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.
I need to build a feature like most of the banks use. Where..
if user has log in to bank account in a browser tab & again he/she change the url of browser & move to some other site.. and again come to bank's page by clicking browser's BACK button.. then bank automatically log out user from there site.
I think may be by java script we can do this.. but, can not able to understand how to do this. I'm using PHP for my server side script. Is this, possible by PHP to do this..
Regards
Suresh
This not a java/PHP question but depends on the exact behaviour you want to implement.
The only way to track the user "live" is through javascript. So if you want to know when the user leaves the page, you can bind yourself to an event listener and then do an ajax call or something like this that invalidates the session on the serverside. Keep in mind that users may be browsing your site with JS disabled, so you need a fallback on the serverside.
I would recommend you to implement session storage on the serverside with a storage mechanism (either the built-in PHP session store or some external storage like Couchbase or Redis, Memached,...) and set the logout time to a sane default (lower if it is something like a banking application).
If you have the basics in place, use JavaScript to enrich the user experience, for example by showing a "countdown" when the user will be logged out and sending session refresh ajax calls to the server to renew the session every time the user has an interaction with the website and such.
For more detailed information I'd need more requirements from your side!