HTML coding to authenticate user in the websites - javascript

I am having a doubt regarding whether it is possible to authenticate the user with html coding? If it is, I want the html script to authenticate user in my website. Or it is enough to tell me the websites which is offering free user authentication.
with regards
Anand

password and username authentication using javascript is a very bad idea, anyone could just bypass it through your html file or js file. You should use PHP and PDO or mySqli in authenticating users.

HTML is not possible, how about OpenID?

You cannot use pure HTML to create an authentication system, and using client-side JavaScript is not a good idea, for security reasons. To make the authentication system reliable you would have to involve some kind of server-side language like ASP.NET, PHP, Ruby or similar.
If you don't want to do it your self, there are plenty of CMS solutions that has built-in authentication. You could either choose a hosted solution like Wordpress or you could pick any CMS solution you like and host it on your own.
Here are a few to choose from:
http://www.orchardproject.net/ (ASP.NET)
http://drupal.org/ (PHP)
http://wordpress.org/ (PHP)
Microsoft also offer a free hosting solution for Azure websites, where they offer a simple click-to-setup service for a large number of CMS solutions, including above mentioned.

HyperText Markup Language (HTML) is the main markup language for displaying web pages and other information that can be displayed in a web browser.
HTML is just used to output something for the users. You cannot make an authentication system with HTML.
The best and the easiest way of authenticating, is to combine HTML with PHP. You can also do it with any other server side programming language.
You can checkout PHP Login systems, which are very reliable. You can surely grab code snippets that you can use as is.

Related

How to dynamically change the IP address on a NodeJS web scraper

I'm working on a project for scraping some data (odds) from different sites (bookmakers).
Due to their tracking sistem, sometime i need to change the ip (to be able again to scrape their site).
I know there are services that can help me to solve this problem, like some APIs with the capability of handling the requests for me (hiding me from the sites).
But the problem of those services is that the majority do not have italians IPs, and due to the italian regulation on online gambling, we can bet only on italian bookmakers, and we can access to them only with italian IPs).
But i know that there are services able to provide me tons of italian IPs, and my idea was to solve the problem by:
Creating my proxy server to call for handling my request (a server that change IPs when i need).
Implement a function able to change the ip of my request made by my scraping tool (the server with the scraping functions).
Honestly i don't know if those ideas could be a valid solution to solve my problem, soo my question is:
How can i implement those features to my code?
And if those options are not valid, is there a solution or a service that i can use? (even if is required a payment or a subscription).
Thanks in advance to all those who will be able to give me a hand!
P.S: I'm still improving my english. I hope I was as correct as possible :)
P.S.2: I'm using NodeJS with the Selenium JavaScript library.

Can a JavaScript library included in my HTML make a request to my site using my cookie session?

These days it's very common to include 3rd-party JS dependencies on your front-end project. Some ReactJS component, for example.
Is there anything that could prevent malicious code, bundled along my other dependencies and served by my own server, to, say, delete my account by making a simple AJAX call?
fetch("https://example.com/account", {
method: 'DELETE'
});
If so, does that mean we shouldn't be using cookies at all?
This is a general problem for all open source libraries, both on the backend and frontend.
If an attacker can add malicious code to your frontend, the attacker can do anything your code can do. So cookies or jwt or some other authentication mechanism doesn't really matter much. The attacker could add a backchannel and get control (check http://beefproject.com/ )
This is even worse on the backend, where using backdoored code could potentially lead to someone compromising your server or stealing all your database contents.
With this in mind, you should make sure you are using the right libraries and do some vetting. People have been publishing backdoored versions of common javascript libraries in npm. Example:
https://www.theregister.co.uk/2017/08/02/typosquatting_npm/

How to protect sensitive data on a SPA using JWT tokens

I'm thinking about making an app with javascript and make it a SPA.
Using JWT tokens to authenticate the users and set the user roles on the app, what is the best way to protect sensitive content?
Using html templates for logged pages is bad? Should i return always the sensitive content from the api?
Thanks
Everything dynamic should be passed through your web service. If you won't use anything improperly (like using SQL drivers without injection prevention) there won't be anything unsafe (for at least first stage).
Also, to prevent MiM attacks, you should use SSL/TLS.
You can encrypt your JWT. Such encryption is defined in the RFC7516.
Depending on the programming language used on server side and client side (JS) , you may find libraries that support the JWE.
At jwt.io, you will find a list of those libraries.

GWT: Login to a password protected third party website

After searching around a lot, I still can't find the answer to this question: Is it possible to login to a 3rd party website using GWT when the website is password protected?
I'm asking this because I would like to write a Google application that combines information from different websites (My news account, my forums accounts, etc.) ... like a kind of dashboard.
I have no problem doing it for non-password protected websites.
But for websites where you have to login and handle cookies, I'm just lost.
I found this very interesting tutorial that explains how to do it for Java: http://www.mkyong.com/java/how-to-automate-login-a-website-java-example/
But I can't figure out how to do it with GWT.
Any help will be greatly apreciated.
I thought about using RequestBuilder to send the authentication requests, and follow the tutorial you pointed to.
But after more consideration I guess the Same-Origin-Policy is going to prevent you to do ajax calls to another website from the client side in some browser. You also have to make sure that your domain is in HTTPS before calling remote HTTPS url. And you might run into other problems if you follow that path...
Conclusion: I suggest making those calls from the server using plain old java code.

is it possible to do web site authentication sans PHP

I would really enjoy avoiding the use of PHP for authenticating users on a website I'm developing, and I was wondering if I could use a SQL database, Apache sans PHP, HTML, Javascript/JQuery, and CSS to accomplish this? I know it's a far-fetched idea probably... but I would be happy if I could.
PHP is a single web development language, there are tons of options.
Ruby, .Net(C#/VB), Java, Python are some common alternatives.
You could work something out with JavaScript, but it would likely be sacrificing quite a bit of functionality/security.
Apache does have some modules like mod_auth_mysql that let you do authentication, but it doesn't look like it's been updated in awhile. The login box will be a pop-up box from the browser that requests username and password. You won't be able to put a Username/Password box on your page like other sites do.
If your webserver can't handle the authentication, you need some sort of "glue" that goes between your server and the browser to handle the authentication piece. PHP does a good job of that, but any of the languages Ryathal mentions would work as well.
If you do use javascript, remember that all of the source code used to secure your site is visible to whoever has the knowledge to look at it.
Yes you can use authentication methods built in to .htaccess if the right modules are enabled in your Apache installation.
This is only basic http authentication though so you would just get a popup box and you cannot log out unless you close the browser I don't think.
Authentication, Authorization and Access Control - Apache HTTP Server
You would need to use a command line utility called htpasswd to generate the user files.

Categories