Sign in to follow this  
Kaze

[web] Integrating web login and client/server app

Recommended Posts

Kaze    948
Is their anyway I can have a client and server application with the client embedded into a web page and have the server get user information from the web login but still be secure. Also I haven't committed to a web language yet but if I chose asp.net and C# for the server would that make it easier.

Share this post


Link to post
Share on other sites
ID Merlin    119
You're asking if a web app can be secure? The answer is... it depends. Haven't you ever used online banking, stock trading or even a message board? Most of those are secure. But there are lots of ways to write a not so secure web site, too. I'd recommend you get a good book on web development using C#, if that is your preferred language.

Share this post


Link to post
Share on other sites
Feralrath    163
In the end it all comes down to your client would have to have some way to interact with the database and know the information about the person controlling the client (your user).

This information is usually stored inside a cookie or session, the most important thing to remember when storing information in a cookie or session is that they are not secure, so don't store any personal information in them such as the username or password of the user.

When I was designing the user system for the site I am currently working on I decided to go with a three part session/cookie variable. My site is designed with php so I used the serialize function to take an array and make it a string that is then encrypted using a simple XOR encryption algorithm.

The encryption is more to make it so the serialized data can not be read by normal means not really for security reasons.

The session/cookie variable does not contain any personal information, it contains only there user ID (a auto incremented number in the database), there display name(which is different from there login name and stored in a different database table and can not be used to access any information on the site, it is only use as a means of giving the person an identity on the site and forums), and a session variable (a randomly created 64 bit variable that is assigned to a user when they register) with this information the site software can then access the database for that user and gather the required information.

If the user wants to change any of there personal information they still need to know there real login name and there password. So even if by some means someone was able to spoof there session/cookie variable they still would not be able to do anything more then post in the forum.

So after that long winded explanation the answer to your question is Yes there are plenty of ways to make web applications secure. If there wasn't as Merlin said there would be no online banking or any form of online payment systems. As with anything redundancy will always save you so make sure that you are always checking and rechecking the users information. And if anything hinky is spotted take the proper action.

Feral

Share this post


Link to post
Share on other sites
ToohrVyk    1596
Depends on what you mean by "secure". You can be as secure as giving every new user an unique identification scheme (a private key) that you can check upon connection to see if it's the right person.

Or you can go with letting the person log in with an user/password pair through HTTPS, which is a tad less secure (because a password is easier to brute-force or steal once you know the user name) but still secure enough for most purposes.

Server language has nothing to do with it—you can achieve full security in Java, ASP.NET, Ruby and PHP equally.

Quote:
Original post by Feralrath
When I was designing the user system for the site I am currently working on I decided to go with a three part session/cookie variable. My site is designed with php so I used the serialize function to take an array and make it a string that is then encrypted using a simple XOR encryption algorithm.

The encryption is more to make it so the serialized data can not be read by normal means not really for security reasons.
Be warned, though, that deserializing data that has passed through untrusted participants (that is, anything except the server and the database) is a security risk.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this