On 31 août 2011, at 23:31, Derrell Lipman wrote:
> On Wed, Aug 31, 2011 at 16:52, John de la Garza <[email protected]> wrote:
> I am trying to creating a login page. I want to wait on the app
> building the GUI until after they have logged in. In my first attempt
> I created a login form. I now realize the form is async and my app
> can't wait.
>
> I'm thinking the solution is to have the succes login event load the
> gui. I assume that I can't have a dialog box that blocks execution
> of code till the correct auth info is entered.
>
> any ideas on this?
>
> If there was a way to say open a dialog box and stop execution until
> I get the answer I would do that. I'm new to event driven
> programming.
>
> Basic concept: Never assume that anything in your browser is private. If you
> require that the user has logged in before even seeing the rest of the GUI,
> then the rest of the GUI should not be loaded from the server until after
> login. Therefore, your concept of having a dialog box that stops execution
> until login is complete, is dangerous because the somewhat knowledgeable user
> could easily bypass that and cause the already-loaded GUI to be displayed.
>
> If the GUI is private until being logged in, then the correct way to handle
> it is to load the GUI after successful login. (See Marc's message.)
>
> If the GUI is not really private, then your general concept is ok, but you'll
> probably want to just not display the GUI until they've logged in. You'd then
> use the event which contains login success information in which to display
> your GUI.
>
> Finally, every interaction with the server must validate the requester *at
> the server*, because the somewhat knowledgeable user could easily snoop on
> messages being sent, or even look at the code to see what belongs in a
> message to the server, and create a message that causes some server action
> that should have required the user to be logged in.
>
> Cheers,
>
> Derrell
>
Hi Derell
That's totally true. In other words : +1.
I'd like to ask a question linked to that.
If I maintain a state on the server, say using JEE session or other techno, it
is simple to validate the user is login at *each* server request, as you said.
To do that, we're using JEE filter.
I would love not to have state on server so it become simply scalable (or
simpler than when the server maintain state).
Then, how to maintain security ?
I try to find a way few years ago based on an "application cookie" containing a
cyphered unique number that the server return for each request.
Example
login : return a
1st request send a + usual request value and return b + usual request return
value
2nd request send b + usual request value and return c + usual request return
value ...
Unfortunately, I'm not sure it is secure and we didn't had more time to
investigate that point so our server currently use session only for security.
Any idea to improve that ?
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
