Hi Werner, IMHO it is not possible to make javascript based classes secure. Any crypt needs a decrypt included in your source, so "my" best practice is to concept a javascript frontend just as a viewer. All relevant data should be handled by server side. So an simple session manager could help you to increase security.
Regards Sak -----Ursprüngliche Nachricht----- Von: Werner Thie [mailto:[email protected]] Gesendet: Freitag, 28. Oktober 2011 16:52 An: qooxdoo Development Betreff: [qooxdoo-devel] Best practice for storing app state information during runtime Hi all don't know if this is a concern for <all> but consider a very simple hypothetical qooxdoo app serving users with different roles, namely 'user' and 'admin'. The app is storing the users state locally, thus opening this information to tampering with tools like Firebug and the likes such, that 'admin' rights could be granted to a 'user' by manipulating the locally stored state. With moving more and more state back to the webapp the practice of storing this information locally in the running app's memory in an human readable form becomes in my opinion more and more questionable. Options for a browser local store would include having a periodic or per request cross check of hashes with the server - hashes across the sensitive but still open user info - crypted cookies as store - Steganograpic methods using an image as store - ??? Opinions welcome! Thxs, Werner ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
