login page

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

login page

johnd
I am trying to creating a login page.  I want to wait on the app
building the GUI until after they have logged in.  In my first attempt
I created a login form.  I now realize the form is async and my app
can't wait.

I'm thinking  the solution is to have the succes login event load the
gui.  I assume that I can't have a  dialog box that blocks execution
of code till the correct auth info is entered.

any ideas on this?

If there was a way to say open a dialog box and stop execution  until
I get the answer I would do that.  I'm new to event driven
programming.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: login page

Marc Puts
Hi John,

You can move your GUI loading code into a function/listener that is
called only after the user logs in.

For example, by doing something like this:



   members :
   {
     main : function()
     {
       var form = new LoginForm;
       form.addListener("success", this.__buildGUI, this);
       form.show();
       }
     },

     __buildGUI : function() {
       //build the rest of your GUI
     }
   }
}



Regards,
Marc


On 08/31/2011 10:52 PM, John de la Garza wrote:

> I am trying to creating a login page.  I want to wait on the app
> building the GUI until after they have logged in.  In my first attempt
> I created a login form.  I now realize the form is async and my app
> can't wait.
>
> I'm thinking  the solution is to have the succes login event load the
> gui.  I assume that I can't have a  dialog box that blocks execution
> of code till the correct auth info is entered.
>
> any ideas on this?
>
> If there was a way to say open a dialog box and stop execution  until
> I get the answer I would do that.  I'm new to event driven
> programming.
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> qooxdoo-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: login page

Derrell Lipman
In reply to this post by johnd
On Wed, Aug 31, 2011 at 16:52, John de la Garza <[hidden email]> wrote:
I am trying to creating a login page.  I want to wait on the app
building the GUI until after they have logged in.  In my first attempt
I created a login form.  I now realize the form is async and my app
can't wait.

I'm thinking  the solution is to have the succes login event load the
gui.  I assume that I can't have a  dialog box that blocks execution
of code till the correct auth info is entered.

any ideas on this?

If there was a way to say open a dialog box and stop execution  until
I get the answer I would do that.  I'm new to event driven
programming.

Basic concept: Never assume that anything in your browser is private. If you require that the user has logged in before even seeing the rest of the GUI, then the rest of the GUI should not be loaded from the server until after login. Therefore, your concept of having a dialog box that stops execution until login is complete, is dangerous because the somewhat knowledgeable user could easily bypass that and cause the already-loaded GUI to be displayed.

If the GUI is private until being logged in, then the correct way to handle it is to load the GUI after successful login. (See Marc's message.)

If the GUI is not really private, then your general concept is ok, but you'll probably want to just not display the GUI until they've logged in. You'd then use the event which contains login success information in which to display your GUI.

Finally, every interaction with the server must validate the requester *at the server*, because the somewhat knowledgeable user could easily snoop on messages being sent, or even look at the code to see what belongs in a message to the server, and create a message that causes some server action that should have required the user to be logged in.

Cheers,

Derrell


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: login page

Jean-Baptiste BRIAUD -- Novlog

On 31 août 2011, at 23:31, Derrell Lipman wrote:

On Wed, Aug 31, 2011 at 16:52, John de la Garza <[hidden email]> wrote:
I am trying to creating a login page.  I want to wait on the app
building the GUI until after they have logged in.  In my first attempt
I created a login form.  I now realize the form is async and my app
can't wait.

I'm thinking  the solution is to have the succes login event load the
gui.  I assume that I can't have a  dialog box that blocks execution
of code till the correct auth info is entered.

any ideas on this?

If there was a way to say open a dialog box and stop execution  until
I get the answer I would do that.  I'm new to event driven
programming.

Basic concept: Never assume that anything in your browser is private. If you require that the user has logged in before even seeing the rest of the GUI, then the rest of the GUI should not be loaded from the server until after login. Therefore, your concept of having a dialog box that stops execution until login is complete, is dangerous because the somewhat knowledgeable user could easily bypass that and cause the already-loaded GUI to be displayed.

If the GUI is private until being logged in, then the correct way to handle it is to load the GUI after successful login. (See Marc's message.)

If the GUI is not really private, then your general concept is ok, but you'll probably want to just not display the GUI until they've logged in. You'd then use the event which contains login success information in which to display your GUI.

Finally, every interaction with the server must validate the requester *at the server*, because the somewhat knowledgeable user could easily snoop on messages being sent, or even look at the code to see what belongs in a message to the server, and create a message that causes some server action that should have required the user to be logged in.

Cheers,

Derrell


Hi Derell

That's totally true. In other words : +1.
I'd like to ask a question linked to that.

If I maintain a state on the server, say using JEE session  or other techno, it is simple to validate the user is login at *each* server request, as you said.
To do that, we're using JEE filter.

I would love not to have state on server so it become simply scalable (or simpler than when the server maintain state).
Then, how to maintain security ?
I try to find a way few years ago based on an "application cookie" containing a cyphered unique number that the server return for each request.
Example 
login : return a
1st request send a + usual request value and return b + usual request return value 
2nd request send b + usual request value and return c + usual request return value  ...

Unfortunately, I'm not sure it is secure and we didn't had more time to investigate that point so our server currently use session only for security.

Any idea to improve that ?




------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: login page

Derrell Lipman
On Thu, Sep 1, 2011 at 09:23, Jean-Baptiste BRIAUD -- Novlog <[hidden email]> wrote:
That's totally true. In other words : +1.
I'd like to ask a question linked to that.

If I maintain a state on the server, say using JEE session  or other techno, it is simple to validate the user is login at *each* server request, as you said.
To do that, we're using JEE filter.

I would love not to have state on server so it become simply scalable (or simpler than when the server maintain state).
Then, how to maintain security ?
I try to find a way few years ago based on an "application cookie" containing a cyphered unique number that the server return for each request.
Example 
login : return a
1st request send a + usual request value and return b + usual request return value 
2nd request send b + usual request value and return c + usual request return value  ...

Unfortunately, I'm not sure it is secure and we didn't had more time to investigate that point so our server currently use session only for security.

Any idea to improve that ?

You might take a look at what Google and the authentication community have done for authentication. http://code.google.com/apis/accounts/docs/OAuth.html

Whether this can be reduced to something that applies only to a single web site, I don't know, but it may give you some ideas.

Derrell


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel