I'm building a webapp specifically for iOS and Android devices which requires user to sign in with their Facebook or Twitter accounts. I have it setup so that initially they're redirected to the appropriate login page and upon successful completion my provided calllback url is triggered.
Because I want to implement a single sign on, I will be storing on the user's device the access token that I received so they can easily access the webapp without having to sign in again next time.
My question is this: is it better to store it as an html4 cookie from the server side? Or is it better to insert it as a hidden input in the home page and have javascript on the client grab it and store it with the new local/sessionStorage? And if the latter, which type of storage would be better for this type of data that I would like to save?
Related
For our ASP.NET application we have an API which users can use to send data from their website forms (e.g. a sign-up form) directly to our application.
To use this, obviously some programming is required to connect their forms to our API. Some users (or their website developers) find this too difficult. So the idea is to provide a standard webform which can be included in their website using an iFrame. The webform should be unique per user, specified by using an ID or key in the URL or in a hidden field. For example, they can link their iFrame to an URL like https://myapplication.com/webform/CustomerID-1001
My question is how can we secure this webform? For the API we use an API-key, but that is used only serverside. Since the suggested webform is hosted in our application, the user cannot set anything serverside. So how can we prevent a malicious website visitor from copying the entire form (including the complete URL or hidden fields) from a valid user's website and using it in an iFrame on their own malicious website? (or at least stop the form from working in this case)
Do you have any suggestions about securing such a webform?
Wanted to discuss under-the-hood information about how session is managed in case of mobile apps - native, hybrid and web applications?
Please validate below Session Management scenarios:
Native (Android/iOS) application
Using Session Cookies: Session cookies are stored in your DefaultHttpClient object. Instead of creating a new DefaultHttpClient (AFNetworking in iOS) for every request, hold onto it and reuse it, and your session cookies will be maintained.
Hybrid (JET, ionic, Angular, Cordova) application
Use localStorage to store the user info after a successful login. On logout clear the localStorage.
Web-HTML5 apps
Attribute-SessionStorage in HTML5: Can be used by the sites to add data to the session storage, and it will be accessible to any page from the same site opened in that window i.e session and as soon as you close the window, session would be lost.
Thanks and Regards,
Rohit
Old way of managing sessions is via cookies.
How it works? When your user enter username and password in your login screen, you give him a session cookie. This cookie is maintained every interaction within your user browser and your web site.
You need to maintain this cookie in your server side. In addition to this session cookie, web sites hold additional information about user in server side session too.
What is problem of this approach?
Inherently, it is not scale-able.
If your user numbers are not high, you can hold this session cookies and additional information in one web server. But if user numbers are high, you need to solve with this with different approaches, like holding this session information in a database or session server.
What is new way of storing sessions
Modern browsers has a local storage capacity. This local storage is ideal for non-critical information for users. Session storage is one session only and when user closes browser (tab), it is deleted. Local storage is for one site, and you need to explicitly delete it or users may choose to delete it.
Store any non-critical information here. If your users logs out from your site, delete them.
Hybrid (JET, ionic, Angular, Cordova) application
A Cordova application is no different from web browser. Here you are sure that your user is only user in this computer (mobile phone); therefore, use exclusively local storage.
Native (Android/iOS) application
Use sqlite to hold your all session information. Never use cookie authorization with native application, it is unnecessary and not scale-able. Use token authorization.
All applications.
For all applications use your login screen to get authorization token, for example JWT token and store it in your application.
web application - local storage
hybrid application mobile - local storage
native application - sqlite
Read difference between cookie authorization vs token authorization here.
Confidential Information
Do not store any confidential information (password, credit card ..) in any of these storage. Store them in your database, and show them to user case by case.
I built a Chrome Extension, where a login form is displayed as a side bar using content scripts injection. I do not want the user to see this login form if the user is already logged in on the website and vice versa if the user logs in on the Chrome Extension and then visits the website, user should automatically log in.
I am returning tokens from the backend when a user successfully logs in.
My question is, what is the best way to store these tokens so both the content scripts in my extension and the website have access to the token to check to see if the user is already logged in.
As far as I understand I have localStorage, ChromeStorage but I do not know if they are shared between the tabs of the browser and the extension.
Any direction is highly appreciated.
Thank you.
If you're returning tokens, a reasonable way to do it would be to inject a content script into pages that match the callback URL containing the token, extract it and save into chrome.storage. It is shared between the content script and all other extension contexts.
Do note: chrome.storage is not exactly secure: it's not encrypted on disk, and can be snooped upon with Dev Tools. Then again, the token is normally stored in the cookie store, which can be likewise examined even without access to the (slightly) more secure password storage.
Perhaps the only more secure way to keep the token in the extension is chrome.identity API, but then you have to login separately, defeating your goal.
We have an MVC/AngularJS system with a Web API back-end that uses Azure ACS and AAD to authenticate our users. The authentication works well, and when the user first authenticates the claims from ACS are passed in in the token.
We override the ClaimsPrincipal Authenticate method and verify that this user is a user of our system and add role claims here too.
After this the user is directed to the home page and the next step of the process requires the user to select an item from a list (e.g. their current location).
This selection determines how certain settings are applied in the web application. When the user makes this selection we make an ajax call to the Web Api back-end and here we add another three claims to the token, reflecting the user's selection.
Now if I refresh the page after this selection has been made the whole process starts again, but different browsers behave differently.
For Chrome and Opera the 'ClaimsPrincipal Authenticate' is called again, the roles are added again and the user need to make the selection again to add the three claims (i.e. when the page is refreshed a copy of the token before our code modified it is used).
For Firefox and IE the refresh passes in a token with all the claims that we added programatically, so it didn't revert the token to the initial state.
The latter behaviour is what I would have expected and what I would prefer. Is there any documentation on this, and for Chrome and Opera is there a way to ensure the current token is used when the page is refreshed?
I read this in Wiki:
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.[1] Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past. This can include clicking particular buttons, logging in, or a record of which pages were visited by the user even months or years ago.
Now I want to know who creates cookies. Is it the browser or can every site create a cookie on its own? Who controls what information has to be saved in cookie and how can all the form field data be saved in cookie?
I think "Setting a cookie" section will help you a lot.
http://en.wikipedia.org/wiki/HTTP_cookie
The website creates the cookie, whether front end (Javascript cookie) or back end (PHP cookie)
The website developer controls what is stored in the cookie.
The website developer gets the information from a form, processes it, then stores it in the cookie.
COOKIES are created by site owner. cookies are actually client side sessions.
Now I want to know who creates cookies. Is it the browser or can every site create a cookie on its own? Who controls what information has to be saved in cookie and how can all the form field data be saved in cookie?
Cookies are created on the client machine by the web server. cookies are initiated using php sessions the browser on the client side stores this cookie as phpsession id which identify s the user the php on the server can then recognize the user by the cookie which is sent from the client to the server. (via the browser).
The creator of the website will control what data is contained in the cookie, for example
`<? php
session_start();
if($_SESSION['logged_in'] == "")
{
header("Location: login.php");
}
?>`
for example the above code would check if the user had the value 'logged_in' if they had not logged in they were redirected to the login page. else they could continue to view the page.
" THanks you , could please let me know can one site access cookies of other site and read information from it and make sense out of it – Vinayjava 1 hour ago"
Yes one website is able to grab information from another website this is known as Cross site request forgeryand is most often performed via XSS injection etc, it can be used to steal user cookies..
any other questions about cookies message me i should be able to help