We have a app which works offline as the data is stored locally using local storage and HTML5 offline capabilities.
We want a way to authenticate the user when the user tries to launch the app offline (from a security purpose if ipad gets stolen).
We already have the authentication mechanism when the user tries to access the app while online
Crudely, you can use the person's password as the local storage database name. No password, no database access.
One solution is to save the last successful online login into some local storage. Now when user is in offline-mode then compare with the value stored in Local Storage.
Following is the sample snippet for Local Storage in HTML 5 :
if (window.localStorage.getItem('value')) {
dummy = window.localStorage.getItem('value');
}
Hope this might solve the problem.
Related
I just started on a new Electron project that needs to access a database, e.g. SQLite. The database will be on a shared drive that should be accessed by the Electron app.
To do that, I need to provide the path as well as the password for the database to the Electron app. Since it's desktop application, I deliver the whole application incl. the database credentials to the user.
From my point of view, this is not a good approach from a security perpective.
So the question is, where do I store these details, especially the credentials?
The same issue applies if I use e.g. another database like MySQL. There, I also need to store the host and the credentials.
Am developing a Windows Store 8.1 app using C# and xaml.
In the app, Initially user will log in into the app using Azure Active directory single sign on log in(With Internet connection)
But how to authenticate the user in Azure Active Directory when the user is not connected to the internet?
I want my app to work in offline mode too..
How can i achieve this?
When you 'log in', there should be an artifact produced. In the case of OpenIdConnect there is an id_token, OAuth produces an AccessToken. If those are captured and stored securely, then there will be evidence that the user did authenticate to AAD at one time. The artifacts of that 'log in' have expiration times.
Backing up, when a user logs in, how is that identity used? Do you managed protected resources yourself OR do you reach out for them?
you can use SQL lite and save the user's details in it by encrypting it..
The next time when he logs into the app you can simple validate his credentials against his details from the DB like you would do in any website/webapp.
Side note : We have a service which runs in the background every 4 hours to check if the user's credentials have changed, if its changed fetches the new credentials and updates it in the local sql lite db
I have developed a mobile web application(html5, jquery, css) packaging PhoneGap in which a encrypted id (after first login) is stored in local storage for authentication when, the user logs in the encrypted id is sent to server and hence he is authenticated. This local storage works fine when I go out of the application and come again, but when I force close the application the local storage gets cleared...and the login is need to be done again...
How can I make the local storage presist even if the application is force closed?
I'm developing an App which should have a Login, so the user has to authenticate itself every time he uses the app.
The app should not require the user to have an connection to the network; the password is device/user-specific.
Is there a common way how to save the password?
Here are some links, which might be useful to you.
Best practice for saving sensitive data in Windows 8
Managing user info (Windows Store apps using C#/VB/C++ and XAML) - MSDN
Using PasswordVault to securely store passwords in WinRT
CryptoWinRT sample (This sample shows how to use the new Cryptography APIs.)
I have IIS7.5 with two websites, and I have an Access database on a server on our network.
The first website has anonymous auth on, using a specific network account (lets say 'jim.smith').
The second website has windows auth on.
I've written some ASP to use a DSN-Less connection to the Access database, and I'm using the same code in both websites.
When logged on to a computer with the same network account as is in use with the first website anonymous setting ('jim.smith') - when viewing in a browser, the first website has access to the database, the second website does not.
The error message is: 80004005 The Microsoft Jet database engine cannot open the file '...'. It is already opened exclusively by another user, or you need permission to view its data.
It is definitely not opened by another user.
So the first website is being accessed by network user 'jim.smith' via the anonymous setting.
The second website is being accessed by network user 'jim.smith' via windows auth.
Why would access to the database work from website one, and not website two..?
Does anyone know how to make windows auth work the same as the anonymous setting so I have access to the database from website two..?
Cheers!
Steve
Edit: Everyone has full rights to the folder where the database sits.
Seems to me that you need to enable impersonation so that the incoming user is used to acces the database. Otherwise the user of the application pool is used and this usually doesn't even have right on the server itself ( Application Pool Identity)
When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See:
http://allen-conway-dotnet.blogspot.com/2010/11/how-to-use-impersonation-in-aspnet.html