This question is locked. New answers and comments are not allowed.
Good day
Comming from web design where everything is on the server I would appreciate it very much if someone could outline the basic concept on how to do it in app design. No code needed just how
it should basicly work.
Here is what I have
SQL DB
table_database
database_Id: 1
database_name: test 1
database_Id: 2
database_name: test 2
----------------------------------
table_users
user_ID: 1
database_ID :1 <- matching the user to table_database
user_name: JohnDoe
user_password_hashed: 8939xlsljsdf93
user_ID: 2
database_ID :1 <- matching the user to table_database
user_name: JaneDoe
user_password_hashed: 99skdhask
user_ID: 3
database_ID :2 <- matching the user to table_database
user_name: JohnSmith
user_password_hashed: 8sonjsadfi98
----------------------------------
table_content
content_ID: 1
database_ID: 1 <- matching the content to the table_database
content_ID: 2
database_ID: 2 <- matching the content to the table_database
content_ID: 3
database_ID: 1 <- matching the content to the table_database
----------------------------------
Now in a web solution, after the user enters his username and password I hash the password, compare it to the value in the DB and if OK save the database_ID as session and simply show the user all entries from table_content with the corresonding database_ID.
Here come some simple/stupid questions.
I can get my Json over https:// but still what would make more sense, security wise
Option A
1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
2) I hash the password and make my Json request with username and hashed password
Option B
1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
2) Make my Json request with username and password and hash it on the server
Am I right that Option A is the correct way?
----------------------------------
The question is now. Who do I get the table_content entires corresponding to the database_ID security wise?
Well the Json is available on the web so I need to make sure that a phone app user can only get the table_content entries corresonding to the database_ID from him in table_user.
Kind of hard to explain but pretty simple - just whats the concept of this getting done.
The app is a spin of from a site that can be accessed through the browser.
Markus
Comming from web design where everything is on the server I would appreciate it very much if someone could outline the basic concept on how to do it in app design. No code needed just how
it should basicly work.
Here is what I have
SQL DB
table_database
database_Id: 1
database_name: test 1
database_Id: 2
database_name: test 2
----------------------------------
table_users
user_ID: 1
database_ID :1 <- matching the user to table_database
user_name: JohnDoe
user_password_hashed: 8939xlsljsdf93
user_ID: 2
database_ID :1 <- matching the user to table_database
user_name: JaneDoe
user_password_hashed: 99skdhask
user_ID: 3
database_ID :2 <- matching the user to table_database
user_name: JohnSmith
user_password_hashed: 8sonjsadfi98
----------------------------------
table_content
content_ID: 1
database_ID: 1 <- matching the content to the table_database
content_ID: 2
database_ID: 2 <- matching the content to the table_database
content_ID: 3
database_ID: 1 <- matching the content to the table_database
----------------------------------
Now in a web solution, after the user enters his username and password I hash the password, compare it to the value in the DB and if OK save the database_ID as session and simply show the user all entries from table_content with the corresonding database_ID.
Here come some simple/stupid questions.
I can get my Json over https:// but still what would make more sense, security wise
Option A
1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
2) I hash the password and make my Json request with username and hashed password
Option B
1) the user enters username and password on phone app (he will have to do this every time -> not saving anything or autologin)
2) Make my Json request with username and password and hash it on the server
Am I right that Option A is the correct way?
----------------------------------
The question is now. Who do I get the table_content entires corresponding to the database_ID security wise?
Well the Json is available on the web so I need to make sure that a phone app user can only get the table_content entries corresonding to the database_ID from him in table_user.
Kind of hard to explain but pretty simple - just whats the concept of this getting done.
The app is a spin of from a site that can be accessed through the browser.
Markus
6 Answers, 1 is accepted
0
Markus
Top achievements
Rank 2
Rank 2
answered on 15 Oct 2013, 06:04 AM
Anyone willing to shed some light on this for me?
Markus
Markus
0
Hello Markus,
You can secure the server side using the authentication technology of your choice and then make ajax calls to the rest service passing along the credentials. The following two posts by Raymond are pretty descriptive and should give you the basic idea:
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.
You can secure the server side using the authentication technology of your choice and then make ajax calls to the rest service passing along the credentials. The following two posts by Raymond are pretty descriptive and should give you the basic idea:
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.
0
Markus
Top achievements
Rank 2
Rank 2
answered on 18 Oct 2013, 07:56 AM
Dear Steve
Thanks' for taking the time to link me. However my problem is less the authentification but how to make sure once the user is logged in he can only acces his data
able_content
content_ID: 1
database_ID: 1 <- matching the content to the table_database
content_ID: 2
database_ID: 2 <- matching the content to the table_database
content_ID: 3
database_ID: 1 <- matching the content to the table_database
Again on web development I save the database_id associated to the user in a session cookie. I then use this session cookie to retrieve the data.
Now on mobile development when I make a new call to fetch data I need of cource to pass this DatabaseID. Now of course anyone could then simply try to pass database ID trough the web (recompile the apk and you know the url of json)
So the question is should I simply do the login procedure every time going for the data. meaning to extend my json to not only fetch the data but every time get and check the databaseID?
Hope you can understand what I try to explain.
Markus
Thanks' for taking the time to link me. However my problem is less the authentification but how to make sure once the user is logged in he can only acces his data
able_content
content_ID: 1
database_ID: 1 <- matching the content to the table_database
content_ID: 2
database_ID: 2 <- matching the content to the table_database
content_ID: 3
database_ID: 1 <- matching the content to the table_database
Again on web development I save the database_id associated to the user in a session cookie. I then use this session cookie to retrieve the data.
Now on mobile development when I make a new call to fetch data I need of cource to pass this DatabaseID. Now of course anyone could then simply try to pass database ID trough the web (recompile the apk and you know the url of json)
So the question is should I simply do the login procedure every time going for the data. meaning to extend my json to not only fetch the data but every time get and check the databaseID?
Hope you can understand what I try to explain.
Markus
0
Hello Markus,
I do not quite understand your security concern, as anyone can get your service url and pass a database_id to it from your website as well. One should have a valid content_ID in order to proceed and you generate this based on the login and secure it on the server side. If you wish you can use a cookie to retrieve data in the Icenium app as well. Basically a hybrid app based on Cordova is pretty much a web app, so no big differences there.
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.
I do not quite understand your security concern, as anyone can get your service url and pass a database_id to it from your website as well. One should have a valid content_ID in order to proceed and you generate this based on the login and secure it on the server side. If you wish you can use a cookie to retrieve data in the Icenium app as well. Basically a hybrid app based on Cordova is pretty much a web app, so no big differences there.
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.
0
Markus
Top achievements
Rank 2
Rank 2
answered on 21 Oct 2013, 03:30 PM
Dear Steve
When I am web developing I am not using a service of course :-) That's the big difference.
I guess it's hard to explain or I might have realy no clue at all.
WebDevelopment
I can get all entries from table_content after authenticating the user on the Server saving a cookie with his database_ID ON THE SERVER after he is authenticated.
So no authentication no session cookie with his database_ID.
Then i can get the data from table_content based on that server cookie.
--------------
on mobile app I was under the impression that I would not have a cookie that can be set.
If I can set a cookie in my phone app do you have a link to an example.
Markus
When I am web developing I am not using a service of course :-) That's the big difference.
I guess it's hard to explain or I might have realy no clue at all.
WebDevelopment
I can get all entries from table_content after authenticating the user on the Server saving a cookie with his database_ID ON THE SERVER after he is authenticated.
So no authentication no session cookie with his database_ID.
Then i can get the data from table_content based on that server cookie.
--------------
on mobile app I was under the impression that I would not have a cookie that can be set.
If I can set a cookie in my phone app do you have a link to an example.
Markus
0
Hi Markus,
I was with the impression you're trying to do an easy site to mobile migration. If you would be doing the mobile implementation from scratch, then instead of cookie, review and consider handling the authentication process via localStorage. It's a persistent key-value store e.g.
localStorage.setItem("webServiceResponse", webServiceResponse);
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.
I was with the impression you're trying to do an easy site to mobile migration. If you would be doing the mobile implementation from scratch, then instead of cookie, review and consider handling the authentication process via localStorage. It's a persistent key-value store e.g.
localStorage.setItem("webServiceResponse", webServiceResponse);
Regards,
Steve
Telerik
You've missed the Icenium Visual Studio Integration keynote? It has been recorded and posted here.
Looking for tips & tricks directly from the Icenium team? Check out our blog!
Share feedback and vote for features on our Feedback Portal.