apais wrote:Another thing hmgscript needs urgently is a serious session control that uses html sessionstorage in order to avoid cookies.
Also server side validation of the sessions. It's too easy to save and modify some .js and take whatever I want from your server.
Also its needed a toolbar alike componet and a css controled left menu.
And that's just to start =)
At first, HMGSCRIPT must be considered experimental (I've tagged as 'alpha' in SourceForge) and I'm just learning about web technologies. Said that, I have the following comments:
- Currently, server procedures check for valid user, every time, so, only clients with valid credentials can access. Username and password are stored in public variables in the client side, until the user logs out (then their content is destroyed).
- I can't see the point on use cookies or sessionstorage, since we have JS global variables, visible to all the application and live until app termination to temporarily store anything sent by the server to the client. Remember that in HMGSCRIPT there is not page reloads at all. We are making an application and not a web site. Maybe, you need to make a deeper review of HMGSCRIPT model.
- Regarding possible client code modifications with malicious intentions, it can be eventually done with any HTML/JS client app. The solution for this is to use non-generic server procedures. Generic procedures like dbappend, dbmodify and dbdelete are intended to be used when security is not a big concern. In any other case, specific (custom) procedures must be used.
- I plan enhance security, assigning a temporary token to the user and returning such value to the client, to be used in subsequent server requests in the same session. This scheme will allow us to assign a 'timeout' for sessions.
As I've said, I just learning about this, so, any other comments are welcome.