I have one query on JavaScript.
How we can pass values from one page to another page?
I am working with ASP.NET. My requirement is, I need to validate the user, whether his session expired or not. If the session expired then I need to show a pop up with two textboxes to enter his credentials.
In which case I was unable to do that in ASP.NET. So though of doing with the help of JS. But not getting ideas.
I know we can pass values from one page to another using querystring. But as per the security purpose that is not to be used in my app.
Please help me out.
Thanks in Advance.
Don't do that on the javascript side. Remember that you can't trust the client side.
Use ASP.NET to do this.
See this tutorial to get some help about using sessions: http://www.beansoftware.com/ASP.NET-Tutorials/Managing-Sessions.aspx
You can save the users info in a session, for example his id and current request time. Then you can compare the previous request time, which you saved while processing the previous request, with the current time. You save the current request time in the session again. If it's been to long ago you show him the login popup. If you need a more secure way of passing the login credentials I recommend using a ssl certificate.
You can set cookies. That's also not really secure, but it's obviously a lot more secure than query strings, though if you're dealing with something that requires more security than what cookies offer, then I would suggest that you're doing something really wrong. (Welcome to Stack)
Related
I have a web site with following functionality: An user comes to www.mysite.com/page.php. Javascript on that page makes ajax API call to www.mysite.com/api.php and shows results on the same page www.mysite.com/page.php
I'm afraid of situation where somebody starts to use my api.php on own software, because using www.mysite.com/api.php costs me a bit money. Therefore I want that only users that have visited the page www.mysite.com/page.php can get valid results from www.mysite.com/api.php . There won't be any way for users to log in to my web site.
What would be the right way to do this? I guess I could start a session when an user comes to page.php and then somehow maybe first check on api.php that a session with valid session id exists?
If you just want the user to visit page.php before using api.php, the session is the way to go.
Typically, if you want a "soft" protection you use the POST verb to get results from your site. Then, if the user goes the the URL in their browser and just types the api.php call they will not get a result. This doesn't protect your site but it keeps search engines away from that url reasonably well and accidental browsing to it.
Otherwise, there are lots of authentication plugins for php.
http://www.homeandlearn.co.uk/php/php14p1.html for example.
You can check the request in several ways such as Token validation, Session validation or even by Server 'HTTP_REFERER' variable
Check the referrer with $_SERVER['HTTP_REFERER'] if its outside the domain block it.
Beware that people can alter their REFERER so its not secure.
Another better solution might be a CAPTCHA like this one from google https://www.google.com/recaptcha/intro/index.html
Cookies, HTTP-Referer, additional POST-Data or some form data, that you send in an hidden input field aren't secure enough to be sure, that the user comes from your site.
Everything of it can be easily changed by user, by modifying the http-headerdata (or if you use cookies, by changing the cookie-file on the client machine).
I would prefer the PHP-Session combined with an good protection against bots (ex. a Honeypot), because it's not so easy to hi-jack, if you use them properly.
Please note: If there is a bot especially for your site, you lost anyway. So there isn't a 100% protection.
I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.
This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.
Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:
if (top.location.protocol == 'file:') {
alert('This application is not designed to be accessed from a desktop copy...')
}
But this will only warn users that have saved the desktop copy since I have added this piece of javascript.
Has anyone else had this problem and come up with clever solutions that they'd like to share?
Thanks
Update:
In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.
If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).
Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.
I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.
Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?
Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.
Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.
You could probably check the http referrer on the server side and warn users not coming from your hosted login form.
Edit:
Actually, a vaguely similar question has been asked before and got a good explanation why referrer is not an ideal solution and also provides an alternative solution: How to check if a request if coming from the same server or different server?
Why, don't you, instead of the alert, put a redirect to your page?
window.location = 'http://www.yourdomain.com'
Or you can also force a reload with window.location.reload();
Instead of message you may redirect your user to the real page which has login form, or show the help box that will explain that user should save page in such way.
You could set a session variable that is set as a hidden variable in the form. If that is not there, you redirect to your login form.
Hey am just curious to know if this can be done! I want to make a page that takes user name and password, and on submit, transfers the exact data right into the login form of a website(eg google, yahoo, facebook etc etc) and submits it right away. Please tell me how this can be achieved!
Thanx in advance!
Without installing plugins to enter the data and submit, no. You can't execute your script on a site from someone else. That would be too risky security wise.
Create private encryption method encrypt username and password save that as cookies and than to access your cookies and than decrypt those cookies again.
in short make use of cookies and if you neeed security care private encryption/decryption method.
Cookies are probably going to be your best bet. It might be difficult to port them from one page to another except these are webpages you have designed yourself and have declared variables to auto-fill the text-boxes.
Another approach will be to modify the code of these pages (if you have access to them) and use PHP and Ajax to connect to a database e.g a MySQL database (could be a database like Xampp running just on your local machine) and auto-fill the text-boxes.
Check this guide, it is a little similar to what i think you are trying to achieve
http://www.w3schools.com/php/php_ajax_database.asp
On my application, a session is created whenever the user is logged in, and this session is updated on the db and session is saved on cookies as well (using perl)
Now I modified the code to update the session using javascript. However when I log out then in again, the session found in the database is different from that found in the cookies. For some reason the cookies is not being updated using Perl after it is being updated using javascript. I don't what wrong I'm doing.
In javascript I do this:
createCookie(cookie_name,cookies_value);// where cookie_name is same as the one on Perl
Any help?
Sessions are normally lost when you log out of a web app, so it's expected to get a new one when you log in again. Without knowing your session implementation and login/logout code, there's no way of knowing if that's the cause of the issue.
What cookies are sent with the request? Which cookies are stored by the browser? Verify everything by inspecting the HTTP transaction, etc. then tell us what you find. Be a lot more specific than "It doesn't work".
Previously I had posted a program and asked about handling cookies in Javascript.
I had posted one code and u can find it in my other question.
Many gave good answers and I aslo tried their solutions. But since I am new to this html and javascript may be I dont know how to find bugs and debug it.
So can anybody please post their solution for this problem.
I want a webpage to be created in which it should check a cookie upon loading. If the cookie is 20 mins older it has to go to login page(ask for usename and password). Otherwise no login is required and it should directly come to one page(it is being designed).
So if anybody is already having a similar or exact code(in which time cookie is maintained) kindly post it.
Regards
Chaithra
It sounds like you're trying to implement a login system using javascript. If this is the case, STOP. All forms of authentication should take place on the server side, and you can use sessions to determine how long it has been since activity from that account. "Cracking" client-side (eg: javascript) security measures is laughably easy.
Short answer - This is a pretty good tutorial...click here...
Better answer - If you're going to create a login system you need to understand cookies, sessions, forms, and security (injection!!!) before you start on anything that is implemented for serious use. You should know to avoid client-side scripting for things like login before you even start. I'd recommend you keep looking at tutorials. You might want to look at things like the difference between different languages and when best to use which.
As nickf said, session timeout is best handled by the server side. The presence of a cookie is used to locate the session, not to implement the timeout. Session cookies are usually what's used to track session state - not the ones that expire. They last as long as the browser is open.
The server side, when processing a request, uses the cookie's value (usually a long random, hard to guess string) to locate the user's session. If the session isn't present, it can respond with a redirect to the login page.
EDIT: In the comments you said you're using goAhead - I'm having difficulty accessing their wiki but assuming it's close to Microsoft's ASP, see this link from webmaster-talk's asp-forum for an example of how to process a login. The part to note on the login page is:
session("UserID") = rs.Fields("usrName")
and the part that checks on each page load the sessions is still good is:
if (session("UserID") = "") then
response.redirect("default.asp")
This is like I outlined in the notes below, driving the timeout detection from the server side and letting the framework (goAhead in your case) do all the cookie magic and timeout on inactivity.