I have developed a mobile web application(html5, jquery, css) packaging PhoneGap in which a encrypted id (after first login) is stored in local storage for authentication when, the user logs in the encrypted id is sent to server and hence he is authenticated. This local storage works fine when I go out of the application and come again, but when I force close the application the local storage gets cleared...and the login is need to be done again...
How can I make the local storage presist even if the application is force closed?
Related
I am developing an invoice app with Angular + NodeJs + MySql.
The thing is, the app is planned to be used by one employee in his office. No need for online servers.
It is not problematic to deploy the app online, but the internet is unstable in the zone (Latinamerican problem. You may lose connection for hours, and even voltage variations that may shut down the PC).
So the app must be self sufficient to always work offline.
So my questions are:
Can I simply deploy the app offline? Like in local. If that is the case, I would need for everything to be initialized automatically when the user opens the app (server open, database connected...).
If I have no way but to deploy the app online, should I use Firebase? Also, what happen if the internet service shut downs for hours? Is there a way for the database to be available offline and sync when the internet gets back?
You could build the app as an Electron App, then its becomes a locally run program. https://www.electronjs.org/
You can host it anywhere, but turn the app in to a PWA, which means it will work locally in the browser after a successful visit (gets installed with a service worker in browser) For the database it self, you can store data in the browser but some are limited to 5mb of data in the localstorage / sessionStorage / indexdb. Firebase does have some locally cached data. But if the browser is closed it can be lost.
If it needs to run locally i would go the electron route. Its slightly harder to do but it fills out your usecase better.
You can use both ways if you want to be sync like situation you have to hold data if your internet is not working in local storage or indexed db.
and it is fine you can deploy locally also or make one dedicated server which is always on.so any body in same network can use that angular app easily.
Just take care of backup plan when you system corrupt you should have proper backup of database for such scenario.
Check list of Items I have done:-
added new salts (better security pro paid plugin = max'd out security)
brute force attack is on and has not stopped all attempts.
changed login (simple wp login plugin)
monitor file change (simple history plugin)
monitor live actions (wordfence plugin)
deleted wp-login.php (add using ftp program when I want to login)
deleted admin.php (didn't make a difference still get login attempts)
changed the nickname and deleted old user so public see fake name
There must be another way these login attempts ares still coming in
I just delete the ajax login from the admin folder
Is this a plugin exploit?
Is it possible to be a database attack?
How would I monitor the mysql?
There's really nothing you can do to prevent someone from sending HTTP requests to your server, which is what is most likely going on. I assume that you are seeing these login requests in your log files?
My suggestion would be to deploy a web application firewall of some kind, which is independent of WordPress and is designed to integrate with Apache or Nginx, such as ModSecurity which is OpenSource. This will at least give you some more options at the web application layer.
Let's say I'm building a "secure" offline HTML5 app which must be run locally in the web browser without needing to download more files from the server. Let's say I connect to the server initially with the web browser over HTTPS (TLS) and download the HTML, JavaScript and CSS required to run locally. I can reasonably assume that the first time I download the files that it is done securely as it is a brand new server that no-one else knows about yet. All the files get stored in the HTML5 Offline Application Cache. Now I have everything I need to run the application locally and shouldn't depend on the server for anything else.
Now every time I run the app, the application will use the HTML5 Offline Web Application Manifest to see if there are any updates from the server for the app to be downloaded. Potentially this could be a problem. If an attacker has now targeted my server and has done a MITM attack on the connection they could alter the application manifest, causing an update to be triggered and therefore make the client download new JavaScript and HTML. This would easily compromise the security of the application as the application relies on the integrity of those files.
What are some possible options to prevent this? Can we do any of these:
1) Completely disable or block updates from the server after all files have been downloaded. Then if the manifest is changed on the server, or the attacker serves up a new manifest, then the client ignores the new manifest and keeps using it's local copy of the files.
2) Detect if the manifest has been changed, or an update event triggered, or the browser is downloading new files. Therefore notify the user that this has occurred. And if it's not expected from the user, then it would indicate an attack. I understand that the there is a 'downloading' or 'updateready' or 'checking' event listed in the spec. Is there a way for the JavaScript to detect that those events have been fired?
3) Store a version value or cryptographic hash of the files inside the browser's local storage. Then on page startup, if the files change unexpectedly, we can throw up an alert to the web browser notifying the user they have been unexpectedly changed.
4) Perhaps use some sort of cache header that forces the browser to cache the files indefinitely. In other words, a kind of hack to make it ignore new manifest files that are sent by the server. This sounds like it could probably work as there are lots of issues that can cause the application not to update even when the manifest file is changed.
Thank you in advance.
We have a app which works offline as the data is stored locally using local storage and HTML5 offline capabilities.
We want a way to authenticate the user when the user tries to launch the app offline (from a security purpose if ipad gets stolen).
We already have the authentication mechanism when the user tries to access the app while online
Crudely, you can use the person's password as the local storage database name. No password, no database access.
One solution is to save the last successful online login into some local storage. Now when user is in offline-mode then compare with the value stored in Local Storage.
Following is the sample snippet for Local Storage in HTML 5 :
if (window.localStorage.getItem('value')) {
dummy = window.localStorage.getItem('value');
}
Hope this might solve the problem.
I have IIS7.5 with two websites, and I have an Access database on a server on our network.
The first website has anonymous auth on, using a specific network account (lets say 'jim.smith').
The second website has windows auth on.
I've written some ASP to use a DSN-Less connection to the Access database, and I'm using the same code in both websites.
When logged on to a computer with the same network account as is in use with the first website anonymous setting ('jim.smith') - when viewing in a browser, the first website has access to the database, the second website does not.
The error message is: 80004005 The Microsoft Jet database engine cannot open the file '...'. It is already opened exclusively by another user, or you need permission to view its data.
It is definitely not opened by another user.
So the first website is being accessed by network user 'jim.smith' via the anonymous setting.
The second website is being accessed by network user 'jim.smith' via windows auth.
Why would access to the database work from website one, and not website two..?
Does anyone know how to make windows auth work the same as the anonymous setting so I have access to the database from website two..?
Cheers!
Steve
Edit: Everyone has full rights to the folder where the database sits.
Seems to me that you need to enable impersonation so that the incoming user is used to acces the database. Otherwise the user of the application pool is used and this usually doesn't even have right on the server itself ( Application Pool Identity)
When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See:
http://allen-conway-dotnet.blogspot.com/2010/11/how-to-use-impersonation-in-aspnet.html