PDA

View Full Version : Best practice for securely loading screens *after* authentication?



charris
15 Sep 2010, 7:24 AM
Hi everyone. I'm new to Touch and Ext JS, so pardon the ignorance if this is a really dumb question.

What's the best practice for loading a new screen / content that is only available after user authentication?

For example, say you have two Panels for "login screen" and "main screen" (the main screen appears after logging in). Is it best to just put both Panels in a container with a 'card' layout, and just switch the active card once authentication occurs? Does this pose any security risks? Would it be better to not even instantiate the post-login screen until after authentication occurs?

None of the existing examples seem to use any kind of authentication/login-screen, hence my request for advice.

Thanks!

evant
15 Sep 2010, 7:31 AM
Never trust the client. Never, ever.

axxerion
17 Sep 2010, 5:03 AM
One thing is your application code (js, css, images)... and another thing is your data...
In my business application, i have all the application logica (and resources) downloaded the first time (even cached)... and every data is requested ( rest/json ) to the server... and, on behalf of the user... the local storage (and sometimes the session storage) is used.

charris
22 Sep 2010, 11:21 AM
Wanted to follow-up on this post with some information that I found helpful (in case another newbie like myself comes across this thread in the future).

In a nutshell, it appears that the "best practice" for logging in is to create a login screen that POSTs the user credentials to the server and then processes the response (e.g., via a success/fail handler that comes with the Ext.FormPanel class).

If the server response indicates a valid login, redirect the browser to a new document (i.e., window.location = 'home.html'). That document can contain all the code that's designed to work with an authenticated user.

There's a tutorial that describes the process in more detail here (http://www.sencha.com/learn/Tutorial:Basic_Login)(it's aimed at Ext JS developers, but still largely applicable to Sencha Touch).

souley hype
5 Jan 2011, 11:01 AM
Hey Charris I am still new to both Ext JS and Sencha touch can I see your code on this using Sencha touch please
thanks!

thomyorke
6 Jan 2011, 1:41 PM
Wanted to follow-up on this post with some information that I found helpful (in case another newbie like myself comes across this thread in the future).

In a nutshell, it appears that the "best practice" for logging in is to create a login screen that POSTs the user credentials to the server and then processes the response (e.g., via a success/fail handler that comes with the Ext.FormPanel class).

If the server response indicates a valid login, redirect the browser to a new document (i.e., window.location = 'home.html'). That document can contain all the code that's designed to work with an authenticated user.

There's a tutorial that describes the process in more detail here (http://www.sencha.com/learn/Tutorial:Basic_Login)(it's aimed at Ext JS developers, but still largely applicable to Sencha Touch).

Couldn't the user simply look at your .js file and see that you're redirecting to another document, which they could then plug in manually?

Isn't it safer to just create your secured section panels as a var and then use varname.show() or sink.Main.init() in the case of the kitchensink example?

Actually, now that I think of that, couldn't the user just open the console and type in "sink.Main.init()" to bypass security also?

Anyone have a better suggestion?

Rohall
6 Jan 2011, 1:51 PM
Here's some general direction:

Authenticate the user and assign them a session key. Secure panel content should be loaded via ajax calls to a server. These calls should use the session key to prove to the server they are authorized users.

You will need a small server side solution to successfully implement this as well as your sencha app. Under no circumstances is it advisable to store sensitive data in js files.