I have website which uses URL parameters e.g. example.com?key=value.
Let's imagine I have business card generator but besides parameters like name, surname. I want the user to provide a key to access it.
An example key can be gI8ol3dAci, I want my Javascript to check it before doing everything else. The key will be in a MySQL database table, I want to block IPs that entered wrong keys after 3 times and I want to store how many times key has been used. I was thinking about the following concept:
Check if IP is not blacklisted (3+ failed attempts)
Check if the key is working
Add 1 to count of uses of this key
The thing is I am not sure if it will be safe using JavaScript.
Related
I have an idea of doing a back office for my website. The problem is that, when I introduce a user who has, for example, two roles, I want the user to choose the role to work with, but I can't figure out how to do that. I've tried so different things such as putting the two roles separate with commas in MySQL and separating them in PHP but it didn't work.
let say you have a user table, and a user can have multiple role.
you can create a master table for role ( let say roles )
you can have a field on user table say user_roles -> it can have values like 1,2,4
note:- there should not be gaps between the numbers / comma
on the front-end you can take a mutiselect / tags UI element to input role for the user.
to fetch the role of a user at server side - you can use explode() + in_array() to check the role if exists
comma separated example
EDIT:-
It requires validation when adding roles ( ie: which user's role is allowed to select when already selected specific types )
For authorization, the user's roles should be added to the session :- this will help when allowing the user to do tasks he is allowed to do.
you can take a third table to maintain user's roles ( as suggested by #ADyson ), this will help if you want to join tables based on user + roles but you will need to join roles table for getting user data when starting session for the user.
As you can see, i am working on smart contracts.
I have a parsing function that when i give an ABI/JSON it is showing up the function with is variable.
Now, i want the informations that getting out from the parsing to sending them to the MetaMask, but i don't know how is proper to get them and i need help with the source code.
I want to have in one variable the function type as it is shown at the picture with the arrow.
And i want making variables name with the names that are shown (_startTime as an example) with the value from the input box that the user will give.
Metamask is a plugin used to execute the transaction. You can also send data with the transaction to the Metamask. To initiate the transaction first you have to login into the Metamask. Later you have to select the Network in the metamask and use Web3 wrapper to execute the transaction. I did that using Truffle and running local blockchain on my PC.
User visit web site on it's own PC and javaScript creates NotesSession.
var ns = new ActiveXObject("Lotus.NotesSession");
ns.Initialize(pass); // user password
I would like to get user info such as name and corporate phone number after successful session initialize. For message like "Hello %username%, your phone is %number%" I know way to get info about specific user from Domino server if I know name or something else, but in this case I'm stuck a bit.
If I try to use GetDatabase InternetExplorer hangs.
var db = ns.GetDatabase("", "names.nsf");
Get internet address will be good too
I'm wondering why you're doing this in JavaScript on the browser side instead of doing it on the server side, because this will only work for users who have a Notes client installed and configured correctly. However, if this is really the way you want to go...
The only information that you get automatically with the session is the user's name (in a few different formats). If you want anything else, you have to look up the user information on the server.
You can use
var nd = ns.getDirectory()
var userinfo = NotesDirectory.LookupNames("$Users",ns.UserName, fieldsArray)
to get more info.
Note that there are several phone number fields in the Domino Directory and depending on your organization's policy and procedures they may not all be filled in. You'll need to look up the item names (e.g., "OfficePhoneNumber", "PhoneNumber", "CellPhoneNumber" .. there are others) and put the ones that you want to retrieve into the fieldsArray that you pass to LookupNames. You'll get the result back as a NotesDirectoryNavigator object, and you can use that object's methods and properties to get the value.
I just want everyone to know that I am in no way a professional web developer nor a security expert. Well, I'm not a beginner either. You can say that I am an amateur individual finding interest in web development.
And so, I'm developing a simple, small, and rather, a personal web app (though I'm thinking of sharing it to some friends and any individual who might find it interesting) that audits/logs every expense you take so you can keep track of the money you spend down to the last bit. Although my app is as simple as that (for now).
Since I'm taking my app to be shared to some friends and individuals as a factor, I already implemented a login to my application. Although it only needs the user key, which acts as the username and password at the same time.
I've used jQuery AJAX/PHP for the login authentication, as simple as getting the text entered by such user in the textbox, passing it to jQuery then passing it to the PHP on the server to verify if such user exists. And if yes, the user will be redirected to the main interface where his/her weekly expense will be logged.
Much for that, my main problem and interest is within the security, I've formulated a simple and a rather weak security logic where a user can't get to the main interface without having to login successfully first. The flow is like this.
when a user tries to go the main interface (dashboard.php) without successfully logging in on the login page (index.php), he will then be prompted something like "you are not able to view this page as you are not logged in." and then s/he will be redirected back to the login page (index.php)
How I've done this is rather simple:
Once a user key has been verified and the user is logged in successfully, cookies will then be created (and here is where my dilemma begins). the app will create 2 cookies, 1 is 'user_key' where the user key will be stored; and 2 is 'access_auth' where the main interface access is defined, true if logged in successfully and false if wrong or invalid user key.
Of course I'm trying to make things a little secure, I've encrypted both the cookie name and value with an openssl_encrypt function with 'AES-128-CBC' with PHP here, each and every user key has it's own unique iv_key to be used with the encryption/decryption of the cookie and it's values. I've encrypted the cookie so it wouldn't be naked and easily altered, since they won't know which is which. Of course, the encrypted text will vary for every user key since they have unique iv_keys although they have same 'key' values hard-coded in the PHP file.
pretty crazy right ?. yea i know, just let me be for that. and as how the main interface (dashboard.php) knows if a user has been logged in or not and to redirect them back to the login page (index.php) is purely easy. 'that' iv_key is stored together with the user_key row in the database.
I've attached a JavaScript in the main interface (dashboard.php) which will check if the cookie is equal to 2, if it is less than or greater than that, all those cookies will be deleted and then the user will redirected to the login page (index.php).
var x = [];
var y = 0;
//Count Cookie
$.each($.cookie(), function(z){
x[y] = z;
y++;
});
//Check if Cookie is complete
if (x.length != 2) {
//If incomplete Cookie - delete remaining cookie, prompt access denied, and redirect to login page
for (var i = 0; i < x.length; i++) {
$.removeCookie(x[i], { path: '/' });
};
alert("You are not allowed to enter this page as you are not yet logged in !.");
window.location.href = "index.php";
} else {
//If complete Cookie - authenticate cookie if existing in database
}
As you can see, the code is rather incomplete, what I want to do next after verifying that the count of the cookies stored is 2 is to dig in that cookie, decrypt it and ensure that the values are correct using the 'iv_key', the iv_key will then be used to decrypt a cookie that contains the user_key and check if it is existing in the database, at the same time the cookie that contains access_auth will also be decrypted and alter it's value depending on the user_key cookie's verification (returns true if user_key is found in database, otherwise false). Then after checking everything is legitimate, the cookies will then be re-encrypted using the same iv_key stored somewhere I don't know yet.
My question is and was, 'where is a safe location to store the encryption/decryption key?' and that is the 'iv_key'. I've read some threads and things about Session Variables, Local Storage, and Cookie. And I've put this things into consideration.
SESSION - I can use session storage of PHP to store the key in something like $_SESSION['user_key'] then access it later when needed be. But I've read an opinion saying that it is not recommended to store sensitive information including keys, passwords, or anything in session variable since they are stored somewhere on the server's public directory. And another thing is the session variable's lifespan, it lasts for around 30 minutes or so. I need to keep the key for as long as the user is logged in. The nice thing I find here is that, it'll be a little bit hard to alter the value and I don't need to encrypt it (the iv_key) here since it is server sided, and hidden to the naked eye, well not unless when being hacked of course. What I mean is, they don't appear on the debugging tools just like how localStorage and Cookies are visible there.
LOCAL STORAGE - this eliminates my problem of lifespan, since it will be stored in the localStorage vault of the browser not until I close the browser. But the problem here is that the values can easily be changed via console box of the debugger tool, I can eliminate this problem by encrypting the 'iv_key', but what's the point of encrypting the encryption/decryption key? Should I encrypt it using itself as the 'iv_key' too? Or I can use base64_encode?, which eliminates the security of needing a key, and can be decrypted so easily with no hassle.
COOKIE - this one adopts two problems, one from session variable and one from localstorage. From session variable, I mean is the lifespan. As far as I've read, cookies last for about 1 hour or so, but still depends if an expiry has been declared when setting the cookie. The other is from localStorage, since it can easily be altered via console box of the debugger tools too. Although I've already encrypted 2 Cookies beforehand, but what's the point of storing the encryption key together with the values you encrypted?, should I go on with this and encrypt the 'iv_key' by itself, just like what I might do with localStorage?.
I'm lost as to where I should save this sensitive 'encryption_key' as it is crucial in encrypting and decrypting the cookies and other information my app needs.
Why am I so devastated with such security, despite having a simple worthless app?.
Well, because I know and I believe that I can use this as a two-step further knowledge which I can used with my future projects. I maybe doing web development for fun right now. But I'm taking it to consideration as my profession. And so, I want my apps to be secure in any means.
I've been thinking about services such as pwnedlist.com and shouldichangemypassword.com and the fundamental problem with them - trust.
That is to say the user must trust that these services aren't going to harvest the submitted queries.
Pwnedlist.com offers the option to submit a SHA-512 hash of the users query which is a step forward but still leaks information if the query does exist in the database. That is, a malicious service would know that the given email address was valid (see also: why you should never click unsubscribe links in spam email).
The solution I came up with is as follows:
1) Instead of the user calculating and submitting the hash herself, the hash (I'll use the much simpler md5 in my example) is calculated via client side javascript:
md5("user#example.com") = "b58996c504c5638798eb6b511e6f49af"
2) Now, instead of transmitting the entire hash as a query to the server, only the first N bits are transmitted:
GET http://remotesite.com?query=b58996
3) The server responds with all hashes that exist in it's database that begin with the same N bits:
{
"b58996afe904bc7a211598ff2a9200fe",
"b58996c504c5638798eb6b511e6f49af",
"b58996443fab32c087632f8992af1ecc",
...etc... }
4) The client side javascript compares the list of hashes returned by the server and informs the user whether or not her email address exists in the DB.
Since "b58996c504c5638798eb6b511e6f49af" is present in the server response, the email exists in the database - inform the user!
Now, the obvious problem with this solution is that the user must trust the client side javascript to only transmit what it says it is going to transmit. Sufficiently knowledgable individuals however, would be able to verify that the query isn't being leaked (by observing the queries sent to the server). It's not a perfect solution but it would add to the level of trust if a user could (theoretically) verify that site functions as it says it does.
What does SO think of this solution? Importantly, does anyone know of any existing examples or discussion of this technique?
NOTE: Both pwnedlist.com and shouldichangemypassword.com are apparently run by reputable people/organizations, and I have no reason to believe otherwise. This is more of a thought exercise.
Services like pwnedlist.com are working with public information. By definition everyone has access to this data, so attempting to secure it is a moot point. An attacker will just download it from The Pirate Bay.
However, using a hash function like this is still easy to break because its unsalted and lacks key straighting. In all reality a message digest function like sha-512 just isn't the right tool for the job.
You are much better off with a Bloom Filter. This allows you to create a blacklist of leaked data without any possibility of obtaining the plain-text. This is because a permutation based brute force likely to find collisions than real plain text. Lookups and insertions a cool O(1) complexity, and the table its self takes up much less space, maybe 1/10,000th of the space it would using a traditional sql database, but this value is variable depending on the error rate you specify.