We have a number of pages where the only dynamic content is the user info (Name, profile link, # of items in shopping bag) which is at the top corner. These pages can take upto a second or more to load sometimes.
We are thinking of changing the pages so that the entire HTML page is cached using Cloudflare, then when it's displayed, JavaScript will check for the presence of a cookie name "Username" and "CartCount" and update the profile accordingly, or if the cookie is not available, show the customary login icon.
Is this method feasible and are there any security precautions that need to be taken?
Not only it's feasible, it's actively used by some of the big websites - eg. Airbnb, TripAdvisor.
You may notice that if you open these websites (and many others) at first it looks like you are not logged in, and then later DOM updates with your user name.
The only issue I see is CSRF tokens - if you cache the pages, your tokens will be outdated and not longer useful. You will have to turn off CSRF checks for your AJAX requests and sign in page.
Related
I have got a 3rd party website, which my customer wants to me to login into in order to download some data periodicaly.
The data is customer specific, and password protected.
I have the username/password, and I have searched for ways to do the login automatically so that I can pull data, but so far with no success.
This is a method that I have tried:
http://crunchify.com/automatic-html-login-using-post-method-autologin-a-website-on-double-click/
When I look into the login page of the website which I am trying to login to (view source), I don't see the login form, but if I click on "inspect element" in chrome on the fields of the page it does show that there is a login form hiding in there.
Any suggestions
Edit:
Here is the website which I need to autologin to: http://portal.dorad.co.il/#/Login unfortunatlly it's not in english. The first field is the username, the second field is the password and the button is the login
Edit2:
Taking pomeh's advice, I was able to find the jQuery code that is being triggerted when the text boxes are being modified. Now I want to run this script manually using element.DomContainer.Eval
(function(n,t){function vi(n){var t=n.length,r=i.type(n);return i.isWindow(n)?!1:1===n.nodeType&&t?!0:"array"===r||"function"!==r&&(0===t||"number"==typeof t&&t>0&&t-1 in n)}function ne(n){var t=li[n]={};return i.each(n.match(s)||[],function(n,i){t[i]=!0}),t}function uu(n,r,u,f){if(i.acceptData(n)){var s,h,c=i.expando,a="string"==typeof r,l=n.nodeType,o=l?i.cache:n,e=l?n[c]:n[c]&&c;if(e&&o[e]&&(f||o[e].data)||!a||u!==t)return e||(l?n[c]=e=tt.pop()||i.guid++:e=c),o[e]||(o[e]={},l||(o[e].toJSON=i.noop)),("object"==typeof r||"function"==typeof r)&&
...
(t=n(this);r=r.not(t),t.removeData(f),r.length||clearTimeout(c)},add:function(t){function s(t,u,e){var s=n(this),o=n.data(this,f);o.w=u!==i?u:s.width(),o.h=e!==i?e:s.height(),r.apply(this,arguments)}if(!u[o]&&this[e])return!1;var r;if(n.isFunction(t))return r=t,s;r=t.handler,t.handler=s}}}(jQuery,this)
I am not sure how to activate it and give it the relevant data.
If you have the right mix of technical requirements then you want Single-Site-Sign-On (SSSO).
Not all of my clients have SSL and I don't want my user name and password on all of their sites. They are however all on the same server. Since my site supports SSL I can log in to my own site securely.
What you need to do conceptually speaking is log the IP of the administrator account along with the data/time stamp. Then if you visit your client's website (again, on the same server) from that same IP you can have your scripting language check the file. I require a short time-span (anywhere between 30 seconds to two minutes tops) and the same IP address. You can add additional technical requirements to strengthen security of course though your options will be limited as the domain name will be different. If the IP matches the criteria emulate the user being authenticated (static obviously since you likely won't/shouldn't have your administrative account information on their site) and you can be automatically signed in.
Maybe you could do this using a web scraping framework like:
Goutte for PHP (https://github.com/fabpot/goutte)
Scrapy for Python (http://scrapy.org/)
node.io for Node.js (https://github.com/chriso/node.io)
request for Node.js (https://github.com/mikeal/request)
WatiN for .Net (http://watin.org/)
In any case, I think a client side solutions will bring a lot of problems to do this. Maybe you can login into it using a form tag which points to the page, but you won't be able to manipulate the page afterwards. Also, you may not be able to use AJAX due to CORS restriction. You could embed the target page as an iframe but you can't either manipulate the page because of differents domains used (you can do that under certains conditions but it's hard to achieve this imho). So a server side solutions sounds better to me.
Assume that there is a site (e.g. weblog.com) that users can register on it. after login, user1 would enter to "weblog.com/user1/" entrance page and then browse his own areas of the site. how can I allow him access to his area of my site through his domain (e.g. user1.com).
In other words, when other users enter to user1.com, we would authorize user1 in weblog.com in the background and users access to every user1 allowed pages through user1.com domain transparently.
note that if I use iframe to load weblog.com/user1/ into entrance page of user1.com, all links and also URLs used within javascripts redirect him to weblog.com/user1/. While I want this actions to be transparent from users of user1.com during working.
I am using Ext JS and .htaccess and CORS did not have any result for me until now.
every solutions, tricks or even subjects to study and keywords to search are welcomed.
Sure. What you basically want to do is to rediect your user to there web in your sub domain.
Now, firstly you need to create a javascript that generates a weblog.com/user1 and so on pages on user registration.
Next you have to specify your user to set dns or you have to set it for them that will probably work through your DNS panel (A records, CNAME, or MX records.)
After the user has been authenticated to there site or your subdomain. They can access the page in the same manner but you also need to specify login script at the same time.
I want to develop a small javascript tool for browsers.
This tool can extract some content from current webpage and submit it to another site.
The whole work flow is divided into 3 stages.
The first stage is to extract content from current page.
The second stage is to log in. The user needs to enter their username and password in a login form.
The third stage is to submit the content abstracted from the first stage.
My problem is that the third stage needs the cookie from the second stage.
I have tried iframe, but failed.
Cookies need to be, at least, on the same top domain and the cookie set to be visible up to the top domain. If you are on another domain, this is not a viable option.
Another way you can pass data is via a form submit. Assuming you are on a page on a foreign domain, using this technique, you can have your script build a login form that submits to your site, along with the data you gathered. It also means the 2nd and 3rd step is merged. No cookies needed.
I need a solution based on java script(cookies), which could save the user selected preferences and render the output(html pages) acc. to the cookie saved.
Here is the situation:
Lets say user starts from page1 and navigates to page2(having 40-50 hyperlinks) and there he selects or clicks one of the hyperlink and get directed to the target page(there will be 40-50 pages corresponding to those 40-50 links).
So all i need is to automate the whole process, so that after first visit user's selection could get saved and he will directly get navigated to final target(It will be one of the page from 40-50 pages).
Any code-snippet will highly be appreciated..
mrana
I am curious to know why can't you do this in a preference table on the server side. Cookies can be removed from the browser (which would force users to go through that step again) and storing 40-50 cookies in the browser is not a good solution, as cookies get transmitted to every HTTP request so it would waste users' bandwidth.
If you have these settings/preferences stored on the server side then you can easily determine where to send the user when he logs in to your site, instead of extracting those information from the cookies.
Alternatively you can store these preferences in localStorage which provides bigger storage for storing key/values. The downside is that you need to load a bootstrap JS first which will read the settings from localStorage and decide where to redirect the user.
But IMHO I'd still go with a server side solution if I have to store 40-50 preferences.
Note: Cookies can only have 4KB of data, this is a limit.
I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.
This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.
Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:
if (top.location.protocol == 'file:') {
alert('This application is not designed to be accessed from a desktop copy...')
}
But this will only warn users that have saved the desktop copy since I have added this piece of javascript.
Has anyone else had this problem and come up with clever solutions that they'd like to share?
Thanks
Update:
In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.
If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).
Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.
I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.
Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?
Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.
Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.
You could probably check the http referrer on the server side and warn users not coming from your hosted login form.
Edit:
Actually, a vaguely similar question has been asked before and got a good explanation why referrer is not an ideal solution and also provides an alternative solution: How to check if a request if coming from the same server or different server?
Why, don't you, instead of the alert, put a redirect to your page?
window.location = 'http://www.yourdomain.com'
Or you can also force a reload with window.location.reload();
Instead of message you may redirect your user to the real page which has login form, or show the help box that will explain that user should save page in such way.
You could set a session variable that is set as a hidden variable in the form. If that is not there, you redirect to your login form.