[Za-pm] RE: maintaining state

[Mark Hewitt]

On 12 September, 2003 10:15, Dr Giancarlo Contrafatto
[SMTP:contrafa at biology.und.ac.za] wrote:
> On Thu, 2003-09-11 at 19:00, za-pm-request at mail.pm.org wrote:

[snip]
> > I need to maintain state (cookies, variables, sticky widgets or
something)
> > on a website where users log in and need to retrieve their information.
> > However, the html pages and forms have already been designed with
> > DreamweaverMX which rules out dynamic page generation with CGI. How do I
go
> > about retrieving information and placing it on the fields in the html
pages
> > after the user have logged in? I've completed the "Registration" scripts
> > which place the information into a MySQL database.
> >  
> > Werner Moller
> 
> Hi folks;
> 
> yes, you can do all that with client-side Java Scripting although, as
> Mark mentioned, there may be the odd reliability problem in cases sush
> as when the user bypasses your scripted page by means other than a link
> from a document. On the other hand, I have been doing client-side Java
> password validation on my site for quite a few years and have not had
> real problems with reliability. I suppose that's to be expected since
> the bulk of traffic on my site is made-up of my students, perhaps a few
> hundred hits a day during term: hits from outside may be as much as a
> dozen a day.
> 
> I don't believe that security is a major problem for two reasons.
> Firstly, the srcipts are client-side so, besides reading priviliges,
> there is no access to the server

This is not the problem, the problem is users can/will attempt to break
your site by by passing your validation and password protection, 
accessing hidden pages as I think you mentioned already for example.


: the client browser executes the script
> and the cookies are written to the client machine. Second, the least
> you'd do, would be to write your Java Script in an esternal script file,
> maybe served from a more secure directory, so that the users would not
> ordinarily get to see it,  [snip]

Not true, the browser needs to see and execute the .js file, thus it must
download it to the client browser, "compile" and excute it.

Therefore, the browser must have read access to the directory with
javascript,
and becuase it can be downloaded by a browser, it can be viewed by you.

Ever tried typing url of the the src="http://www.xx.com/xx.js" tag directly 
into your browser? You see the source code!!


> 
> A further advantage is that you would not even need to use a formated
> dbase file such as MySQL. All info can be stored in a flat, text file or
> within a reasonably hidden Java script. At the moment, for example, I
> keep logon info for some 100 odd students in a script without apparent

Remember, if this is as in a file, it cannot be accessed on the server by
the client, and must be loaded in a javascript and send to the client, or
loaded
using a src="xxx.js", which is not secure (see above).

This means I might be able to access login information for all your
students,
and login in as anybody I like.


Remember, I am not saying here "never do this, its evil!!"
It is maybe evil, but _everything_ you ever do or consider it dependant on
_what_
you are trying to do.

Sounds like your solutions is working well for you, you've been lucky and
your
students have not been up&coming crackers!! However, this may not be an
advisable solution given a different environment, so I felt I should point
out
that while it works, it is not the best solution. You also need to take into

account future plans and potential growth for your site, and perhaps take
the extra time now to implement and solid base to enable your future 
extensions to deplioy more smoothly.


My 2c
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Cell: +27 82 9655295
Email: corporate at scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------

> loss of efficiency. It should actually be quicker that having to start
> an SQL server, search and validate. Admittedly, since I have control
> over my own server, I should do this by CGI and I may do so in the
> future but, for the time being, it all seems to be working fine.
> 


> ciao
> 
> -- 
> all men who have achieved great things have been great dreamers. 
> Orison Swett Marden
> ####################################################################
> Dr. Giancarlo Contrafatto
> School of Life and environmental Sciences
> University of Natal, 4041, Durban, RSA
> Tel: +27 031 2603336 contrafa at biology.und.ac.za
> ####################################################################
> visit Darwin at http://contra.biology.und.ac.za/
> 
> _______________________________________________
> Za-pm mailing list
> Za-pm at mail.pm.org
> http://mail.pm.org/mailman/listinfo/za-pm
"DISCLAIMER: This e-mail and its attachments may contain information that is
confidential and that may be subject to legal privilege and copyright. If
you are not the intended recipient you may not peruse, use, disclose,
distribute, copy or retain this message. If you have received this message
in error, please notify the sender immediately by e-mail, facsimile or
telephone and return and thereafter destroy the original message.Please note
that e-mails are subject to viruses, data corruption, delay, interception
and unauthorised amendment, and that the sender does not accept liability
for any damages that may be incurred as a result of communication by e-mail.
No employee or intermediary is authorised to conclude a binding agreement on
behalf of the sender by e-mail without express written confirmation by a
duly authorised representative of the sender. By transmitting this e-mail
message over the Internet the sender does not intend to allow the contents
hereof to become part of the public domain, and the confidential nature of
the contents shall not be altered or diminished from by such transmission."