I want a way to log in and store a users details (maybe in a cookie?) securely using JavaScript.
The main I want to do is go from http://localhost:3000 to http://localhost:3000/welcome which I can do using the below code document.location.replace('./welcome');
However, if I currently type in http://localhost:3000/welcome address then it will take me straight there instead of asking for auth. how can I get a login page to be thrown in front of this page if no one is logged in?
any good tutorials on this? thanks
You will need to do this server side. Other important thing to note is javascript it client side and not necessarily secure at all.
Related
I have an html page that has a form and is communicating to a server via JSON requests, when loading (e.g. in order to remember user's previous answers) and when submit button is pressed (e.g. in order to save his new answers). Every user has a specific user_id that is located as an attribute in the url of the website. I have only HTML pages, CSS and Javascript that makes some simple functions, as well as received and sends the requests.
The problem is that the server needs an api-key for the request to happen, that I need to be kept hidden, but instead is easily discovered when the user sees the source code. I want this specific line to be hidden, but I guess this is not possible without any backend in the game.
I would like to know the easiest and fastest way to get from this state (just frontend, where every piece of information in the source code is totally insecure) to another where the api-key (at least) is not on the open.
I guess the solution is to use a server for that part but I need suggestion on the easiest transition from my code to another. I tried to use GWT, as I am a bit more familiar with JAVA backend application (but not with GWT), but seems like a big trouble, where I need to change my HTML, my Javascript and also the CSS that I have may not be useful, as well as I face a lot of problems when trying to read my parameters.
I know that it is not the best way but I do not have a lot of time to make it work, so sorry if it seems lazy (I am new to this type of programming), but I haven't found anything helpful and I cannot study for 2 weeks in order to be able to begin implementing it.
Is node.js (which is Javascript and I already have implemented the request sending/receiving in this language) easier than GWT for that matter? Will my sensitive data be secure in that way? I would be grateful if there was a similar sample, that I could start using for my implementation, as I haven't find anything that is specifically helpful for my situation.
Thanks in advance!
NodeJs is not javascript, NodeJs is specific javascript "interpreter" whose is purpose is mainly to be executed server-side. If you have an HTML page, it is likely to be loaded in a web browser (client-side), so not in a NodeJs environnement.
Everything that is hard-coded in the javascript of you web page is visible from the client, there is no way around that. So yes, you need some server-ish thing somewhere.
If you are not to manage a server by yourself or via PaaS, you can go for a serverless architecture. For instance, If you consider AWS which I know the most, you can easilly add some user management to your web page using Aws Cognito User Pool. Once a user is connected and have the good permission, he can be granted access to some other resources via a JWT token that you send along with your request.
I've managed to scrape websites that require no login using js only and a little help from websites that allow me to pass the CORS issues(like allorigins), but I just couldn't manage to get pass through the login problem.
I've seen many posts discussing of doing it using node.js and python beautifulsoup, but none on how to do it with javascript.
So how do I go about it?
Is it even possible doing it purely on client-side?
I'm willing to do all the learning and searching needed, but I need some direction in this vast subject.
Assuming you meant using in-browser JavaScript, how did you get around CORS? And if you did, then once the page refreshed after a successful login you code would stop running anyway unless you were a browser extension.
If you mean on your computer, then Node is what you're looking for, but unless you use a project like Headless Chrome then you'll run into the issue of saving the cookies between requests which is what keeps track of your session and actually keeps you logged in.
Login requires a direct interaction with your browser, like saving a cookie, returning a security token etc.
If you use JavaScript from a html page, it would theoretically require to visit the other page, at least inside a iFrame. There is a limit of how much you can do with javascript inside a iFrame.
With other words you try to imitate something like Selenium. Give it a try. It works with Java. You can control you browser, telling what to do, like a real user, and fetch the results, make even screenshots.
I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php
I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.
What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?
If you just want the user to visit page.php before using api.php, the session is the way to go.
Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.
Otherwise, there are lots of authentication plugins for php.
http://www.homeandlearn.co.uk/php/php14p1.html for example.
You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable
Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.
Beware that people can alter their REFERER so its not secure.
Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html
Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.
Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).
I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.
Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.
I am designing a portal where i have to send requests to the server and get response from it. Since i'm writing the entire code in javascript [AJAX], it's hard to safeguard the URL's which i'm using. Right click --> view page source will make the entire script, URL's naked!!
I know it's impossible to protect your code 100% by writing in javascript, Is there any ither way to do it? any other language?
No. You cannot keep the communication between the user's browser and your server secret from the user.
If you don't want the user to know something, don't let the browser know it either.
Anything that offers a public API needs to be absolutely paranoid about not only authenticating each request, but also ensuring that the authenticated user has the necessary authorisation to perform the request.
eg: DELETE /file/4
You must make sure you have authenticated the person making the
request.
You must make sure the user is authorized to perform DELETE
operations.
You must make sure the user owns file 4.
Even if you expect your own website to be the only consumer of your API and you're not going to publicise it or document it, you have still implicitly made it public.
Actually I want to store a file on a client PC.
I know that asp.net does not allow to access client harddisk but by using any trick or any idea?
For security reasons I want to save a file on client's computer containing user information. I does not want to save a cookie in a user's browser.
Scenario.
I want to store something on client's PC permanently by using which I identify the user. Everytime when user login to mysite I will check that file on client's PC. If file is present then user will login sucessfully if file is deleted by the user or by any reason file is deleted or user comes from another PC then again save a file on client's PC. I does not want to save something on browser bcz user may delete the cookies and other histroy.
Don't mark my question as negative, I don't have any harmful intention.
No, this isn't possible.
Any technology that lets you store files will throw up a stack of security warnings.
Short answer...no
There are a number of ways to accomplish saving a file to the users machine. They will all require some form of permission from the user. (i.e. a java applet will need trust)
The advantage here is that if you self-sign your applets and use the same sig for all of them then you can obtain trust through another applet and it is then extended to your file writing applet.(if they check the box too) However the user will always have to click at least once that they trust you.
Note that even if trust is extended like this they may well see another trust box asking them to trust microsoft to do file operations(in the case of win systems)...they will always know whats going on
EDIT: Just had a thought, depending on what you want to save you may be able to squeeze it into a cookie or a batch of cookies. A lot of users have these always on and will never know....sneaky
No, it's highly unsafe to have access to the client PC without any permission.
"I want to store a file on a client PC without telling to the client." - that is where the real problem lies. You should not do this. And the browser is designed to stop you doing this, quite rightly.
You need to go back and look at what you are wanting to do, and do it differently.
This is break a fundamental security principle of Web Applications