Hey Dave,
2010/9/23 Dave <[email protected]>:
> I have an HTML login page (Login.html) which is a form that gathers a username
> and password. It controls access to several databases. Most users have access
> to
> only 1 database, but a few users have access to several databases. These users
> will be presented with a second form (Intermediate.wt) where they can choose
> which database they wish to access. (I don't want to make all users choose
> their
> database, because most of them don't have a choice - they have access to
> exactly
> one database.) Finally, I would like to securely pass the
> username/password/database triplet to my application (Schedule.wt).
Since this problem arises from having a separate Intermediate.wt and
Schedule.wt, I must assume you have good reasons for this ?
> So, I am thinking that all users should follow a sequence of pages such as
> this:
>
> Login.html --> Intermediate.wt --> Schedule.wt
>
> How can I securely pass the username/password/database triplet? My
> alternatives
> are:
>
> 1. Make all users press a "submit" button at Intermediate.wt, even if they
> only
> have access to 1 database.
> 1. Use a GET request from Intermediate.wt --> Schedule.wt (password info
> appears in the URL, so its not secure).
> 2. Use a get request with encrypted parameters from Intermediate.wt -->
> Schedule.wt.
> 3. Use an encrypted cookie from Intermediate.wt --> Schedule.wt.
> 4. Use a POST request from Intermediate.wt --> Schedule.wt. But how?
To handle the 1-database case, you do not have a lot of options: a
browser is not very flexible w.r.t. posting. If you use it using a
'server-side redirect', then the user will need to confirm the repost.
Your only option would thus be to render an intermediate page that
contains the authentication information which posts itself to the
Schedule.wt using JavaScript (which will need to reauthenticate!). The
cleanest solution here is indeed to use a WResource.
To handle the multiple-database case, you could do the same but only
afther user has selected his database.
> I think I might be able to use WResource to generate a POST request, but I
> don't
> understand how.
You could use the resource as the source of an iframe, which returns
an HTML document containing a post which posts itself onload with as
target the toplevel window:
<html>
<body>
<form method="POST" action="/Schedule.wt" target="_top">
<input ... > information for intermediate.wt
</form>
<script>window.onload = function(){document.forms[0].submit();}</script>
</body>
</html>
You can render the iframe using WText with XHtmlUnsafeText formatted
text: "<iframe class="Wt-resource" src=\"" + resource->url() +
"\""></iframe>"
(Wt-resource is a class defined by Wt and used with WFileUpload which
uses an invisible iframe to upload the file).
Alternatively, and an approache we have seen used in the past, is to
associate a randomly generated security token with the login of the
user (in some back-end database) which is passed as GET parameter to
Schedule.wt
Regards
koen
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
