apais wrote:Another thing hmgscript needs urgently is a serious session control that uses html sessionstorage in order to avoid cookies.
Also server side validation of the sessions. It's too easy to save and modify some .js and take whatever I want from your server.
Also its needed a toolbar alike componet and a css controled left menu.
And that's just to start =)
At first, HMGSCRIPT must be considered experimental (I've tagged as 'alpha' in SourceForge) and I'm just learning about web technologies. Said that, I have the following comments:
- Currently, server procedures check for valid user, every time, so, only clients with valid credentials can access. Username and password are stored in public variables in the client side, until the user logs out (then their content is destroyed).
- Regarding possible client code modifications with malicious intentions, it can be eventually done with any HTML/JS client app. The solution for this is to use non-generic server procedures. Generic procedures like dbappend, dbmodify and dbdelete are intended to be used when security is not a big concern. In any other case, specific (custom) procedures must be used.
- I plan enhance security, assigning a temporary token to the user and returning such value to the client, to be used in subsequent server requests in the same session. This scheme will allow us to assign a 'timeout' for sessions.
As I've said, I just learning about this, so, any other comments are welcome.