NeoPhp User Level question
Quote from Darbdenral on August 26, 2019, 8:19 amWhat's the best way to secure a menu option in my NeoPhp app, so it's only accessible by the admin. Can I just use the users level and username to match the admin and then display? If I do it that way, can I be assured that someone cannot change it through their browser and gain access?
thanks!
What's the best way to secure a menu option in my NeoPhp app, so it's only accessible by the admin. Can I just use the users level and username to match the admin and then display? If I do it that way, can I be assured that someone cannot change it through their browser and gain access?
thanks!
Quote from luishp on August 26, 2019, 10:49 amHi @darbdenral,
Anything generated client side can be easily accessed, even if we use encryption or a client side login system.
neoPHP includes a server side login system, to secure any server side generated information.
This method is quite more secure as it checks user level and permissions before sending the information to the client or allowing any change on the server stored data.There are many strategies you can use to secure your content.
For instance, this app performs all the calculations server side as it uses a copyrighted algorithm. It would have been easier for us to do all the calculations client side, but then they would have been exposed.
On the other side, this app is almost completely client side, including the login system (a simple password), but we just needed a simple method to avoid curious people and bots entering the system.What do you want exactly to achieve?
Hi @darbdenral,
Anything generated client side can be easily accessed, even if we use encryption or a client side login system.
neoPHP includes a server side login system, to secure any server side generated information.
This method is quite more secure as it checks user level and permissions before sending the information to the client or allowing any change on the server stored data.
There are many strategies you can use to secure your content.
For instance, this app performs all the calculations server side as it uses a copyrighted algorithm. It would have been easier for us to do all the calculations client side, but then they would have been exposed.
On the other side, this app is almost completely client side, including the login system (a simple password), but we just needed a simple method to avoid curious people and bots entering the system.
What do you want exactly to achieve?
Quote from Darbdenral on August 26, 2019, 9:39 pmI see, so server side is the only good way to secure my app and client-side protection is a bad idea. It appears you blocked the console on the 2nd example which in itself could block specific hacks and such. I guess using php functions would be the way to go here then..
I've created a web app, it's a projects panel that requires a user to login to gain access.. I've used the neophp plugin for the login process. Once a successful login is achieved, depending on their access level their projects and functions are available.
I just feel like making that bridge from server side to client side, is the mistake and the wrong way to achieve this.. Because essentially I'd be serving up content based on their level returned from the database but determined from javascript variables.
Why not just create a php function to pull it from the neofunctions file (from server) when needed? Maybe a php function could read logged in data from the current session and database and return the parameter/subroutine of choice if successful? But I keep seeing weak points in making the bridge from server to client, so, I'm not sure?
thanks!
I see, so server side is the only good way to secure my app and client-side protection is a bad idea. It appears you blocked the console on the 2nd example which in itself could block specific hacks and such. I guess using php functions would be the way to go here then..
I've created a web app, it's a projects panel that requires a user to login to gain access.. I've used the neophp plugin for the login process. Once a successful login is achieved, depending on their access level their projects and functions are available.
I just feel like making that bridge from server side to client side, is the mistake and the wrong way to achieve this.. Because essentially I'd be serving up content based on their level returned from the database but determined from javascript variables.
Why not just create a php function to pull it from the neofunctions file (from server) when needed? Maybe a php function could read logged in data from the current session and database and return the parameter/subroutine of choice if successful? But I keep seeing weak points in making the bridge from server to client, so, I'm not sure?
thanks!
Quote from luishp on August 27, 2019, 6:41 amWell, there are some hidden tricks you can use here.
Did you know you can include PHP code into a VisualNEO Web App?
Just be sure to rename your compiled main file from index.html to index.php.
This way you can code something like this inside a Container HTML property:<?php if($_SESSION["userlevel"] != 0){ die("Access not allowed"); } ?>So imagine this:
1) You create a first App to check user access.
2) Once access is granted you redirect the user to the appropiate second App with LoadApp action command.
3) You add the above code to the new app to secure access.As PHP session variables are shared among pages in the same domain, you can secure app access easily.
This trick is quite more powerful than it seems at fisrt if you have some PHP knowledge!
Well, there are some hidden tricks you can use here.
Did you know you can include PHP code into a VisualNEO Web App?
Just be sure to rename your compiled main file from index.html to index.php.
This way you can code something like this inside a Container HTML property:
<?php
if($_SESSION["userlevel"] != 0){
die("Access not allowed");
}
?>
So imagine this:
1) You create a first App to check user access.
2) Once access is granted you redirect the user to the appropiate second App with LoadApp action command.
3) You add the above code to the new app to secure access.
As PHP session variables are shared among pages in the same domain, you can secure app access easily.
This trick is quite more powerful than it seems at fisrt if you have some PHP knowledge!
Quote from Darbdenral on August 27, 2019, 7:47 amYes! That's brilliant! No, I didn't know we could run php like that inside VisualNeoWeb apps.. Yes, this adds a whole new feature set of tools to our arsenal for web apps.. I will have to do some code changes here, very promising!!
Thinking now.... it would sure be handy to have a compile event feature that would save index.html to index.php if php code is detected. I like automation. ;)
thanks!
Yes! That's brilliant! No, I didn't know we could run php like that inside VisualNeoWeb apps.. Yes, this adds a whole new feature set of tools to our arsenal for web apps.. I will have to do some code changes here, very promising!!
Thinking now.... it would sure be handy to have a compile event feature that would save index.html to index.php if php code is detected. I like automation. ;)
thanks!
Quote from luishp on August 27, 2019, 8:27 amThinking now.... it would sure be handy to have a compile event feature that would save index.html to index.php if php code is detected. I like automation. ;)
Good idea!
Thinking now.... it would sure be handy to have a compile event feature that would save index.html to index.php if php code is detected. I like automation. ;)
Good idea!
Quote from Darbdenral on August 28, 2019, 1:06 amI don't think this is possible but just checking to be sure..
Can we call actions or share variables from php to VisualNeoWeb like with Javascript?
This stuff would be handy.. An action command to run php code and share data..
BeginPHP
neoscript.subroutineName(param);
$App.myvar
EndPHP
thanks!
I don't think this is possible but just checking to be sure..
Can we call actions or share variables from php to VisualNeoWeb like with Javascript?
This stuff would be handy.. An action command to run php code and share data..
BeginPHP
neoscript.subroutineName(param);
$App.myvar
EndPHP
thanks!
Quote from luishp on August 28, 2019, 8:57 amThe problem here is when each code is executed.
Inline PHP code is executed only when you load the application (not when you press a button).
What you can do is to code your own php scripts and call them from VisualNEO Web sending and retrieving variables and much more. That's what neoPHP plugin does. Take a look at the included FormSubmit App for a basic sample.
Reagrds.
The problem here is when each code is executed.
Inline PHP code is executed only when you load the application (not when you press a button).
What you can do is to code your own php scripts and call them from VisualNEO Web sending and retrieving variables and much more. That's what neoPHP plugin does. Take a look at the included FormSubmit App for a basic sample.
Reagrds.
Quote from Darbdenral on August 29, 2019, 12:43 amOk, I see..
I adjusted my app so that the login authentication is separate from the main app.. After a successful login, I call the project panel as suggested using LoadApp. The handoff is working fine. But when I return to the previous login app to logout the user, it creates a nasty behavior and fails to display anything. Chrome browser will become unusable quickly and actually crash. It seems to get stuck in a loop, I've managed to capture the console and this is the error message that's rapidly repeating inside the console.
WARNING: Tried to load AngularJS more than once. 85VM446:346 WARNING
Any ideas?
Ok, I see..
I adjusted my app so that the login authentication is separate from the main app.. After a successful login, I call the project panel as suggested using LoadApp. The handoff is working fine. But when I return to the previous login app to logout the user, it creates a nasty behavior and fails to display anything. Chrome browser will become unusable quickly and actually crash. It seems to get stuck in a loop, I've managed to capture the console and this is the error message that's rapidly repeating inside the console.
WARNING: Tried to load AngularJS more than once. 85VM446:346 WARNING
Any ideas?
Quote from luishp on August 29, 2019, 8:37 amIt's strange.
Are you using LoadApp to get back to the login App?
If so, try this instead:BeginJS window.location.href = "https://yourdomain.com/yourloginapp/index.html"; EndJS
It's strange.
Are you using LoadApp to get back to the login App?
If so, try this instead:
BeginJS window.location.href = "https://yourdomain.com/yourloginapp/index.html"; EndJS
Quote from Darbdenral on August 29, 2019, 9:03 amYes, it is.. I successfully made an app that will crash Chrome every time! Lol ;)
Your suggestion worked perfectly!
thanks!
Yes, it is.. I successfully made an app that will crash Chrome every time! Lol ;)
Your suggestion worked perfectly!
thanks!