I finally lunched my first XOJO Web application yesterday thru xojo clouds.
After One (1) year frustration, experiments, and expenses (buying different 3rd party component). Atlast, I made my first xojo works before my first year anniversary today.
Credit to you all guys specially [quote]Michel Bujardet[/quote] who is very very accomodating guiding beginners like me.
My first MEMBERSHIIP AFFILIATE system!
p.s.
I left DOT NET, I left PHP, I left JAVA… Welcome to XOJO!
Hi Ronaldo,
It’s great to see someone developing their site from an idea to reality, but you might want to look into security a bit more before you make it public.
This took me all of about 10 seconds to view.
If its dummy data then thats ok, but if its real data, that’s a problem.
As you can see above, I also have access to your password reset screen, which just needs an account ID (from the screenshot above) and a new password so technically I could reset all those users passwords (not tested, don’t know if it’ll work or not)
Fortunately I’m not that type of guy, but they are out there.
I’m sorry I can’t help securing the site some more, I’ve not played with Xojo Cloud yet.
J
Julian, I don’t know exactly how you did it but I have my suspicions where simple visibility of objects isn’t taken into consideration in a WE app. Developers not used to the concept of how a page is displayed in a browser might fall for this misstake.
Ronaldo, it does seem to look great though! Awesome work! 
Julian,
It would probably help Ronaldo a lot if you sent him by PM the manipulation you did to get to these pages. Then he will know what to change in his app.
[quote=282714:@Michel Bujardet]Julian,
It would probably help Ronaldo a lot if you sent him by PM the manipulation you did to get to these pages. Then he will know what to change in his app.[/quote]
It would be good to share the information here too, when the site is secure, so we can all learn.
I would like to share my thoughts on this but I better won’t do this until it’s secure… right now it’s night in asia… ronaldo hopfully reads this tomorrow…
There’s no manipulation needed at all.
You see a Menu on the left (for a short time) before the Login-Screen is shown.
If you’re fast enough (or your internet connection slow enough) you can click the Menu-Items. The content will be shown (as well as the Login-Form above it, which you can just move out of the way.
I haven’t used Xojo Web yet… but it seems that the App does already init/load pages which should only be loaded once the Authentication has been completed. And the content-pages don’t seem to double-check if there’s an Authentication.
No problem guys, I’ll post my methods once Ronaldo has made the site private, it wasnt the method that Jurg has highlighted, but that method is also valid and actually pointed me to the method I used.
If others are using a similar method (maybe its from the Xojo Cloud demo, I’ve not tried Cloud so I don’t know) then maybe they want to watch this thread too.
If Ronaldo is preloading the first record from his database, it might just be a case of not doing that, or putting a dummy empty first record in there as a simple fix.
More later.
Yes, indeed, he displays first a menu, then the login.
That could be because he uses implicit instance, and all the pages are loaded at launch.
He should use non implicit pages and show only the login.
It is best practice to always verify the current user has rights to the events they spawn. What I mean by that is if you have a super sensitive button that only certain users can push… make sure its that type of user in the button ‘Action’ event. If all you are doing is hiding the buttons then they can be surfaced by manipulating the DOM and their events sent to the server.
tldr; Enforce security at the client and on the server.
[quote]Yes, indeed, he displays first a menu, then the login.
That could be because he uses implicit instance, and all the pages are loaded at launch.
He should use non implicit pages and show only the login.[/quote]
As i said: I don’t know much about Xojo Web Apps…
Maybe the site doesn’t “show the menu first”, but it’s indeed that “implicit instance” issue. I think Greg has explained somewhere what this means - but I can’t find the link right now.
Anyway - one can easily see that there is too much loaded in the browser (even when not everything is visible). that’s one aspect which makes the first page to feel slow.
And because that might be of interest to others creating Web Apps:
That’s something everyone can easily do without “hacking” your server/webapp → see what you’ve really got sent to your browser:
now that you’ve seen some “hidden” stuff you can double-check if the next layer of security has been implemented:
Here we have made visible again what while loading the page already has been quickly visible.
still half-baked… never put your logic behind Buttons and Controls! Not in standard-Software and not in WebApps aswell. The best security approach is to strict encapsulate all I/O and method calls in a business object layer where each method is checked against who is calling. In this case: Whilst no user is logged in, no information could be passed to the method (even if somebody finds out how to make controls visible or is manipulating http post stream).
Hi Guys!
I learn a lot from this post! As a beginner, I was amazed by your findings!
I shutdown my site already and and thinking for the fix like what you recommend. hmmmm… It seems that Tomas Jakobs summarizes the bottom line on how to secure my XOJO.
While im back on the drawing board, im scratching my head now on where to start and how to start. Any suggestion?
Hopefully, I master all of this on 2nd anniversary.
First thing you want to do, is to set all your webpages with Implicit Instance off in the Inspector.
Then instead of simply going WebPage1.Show, you must explicitely create a new instance before :
Dim W as new WebPage1
W.Show
That way only the login page will show.
Ow… thats that what it mean about IMPLICIT.
Thank Michel.
So that would solved my VISIBLE-HIDDEN hack!
Great! Great! Great!
If that’s all it takes Ronaldo, great job Michel and others.
Jurg covered the way I found it, I saw the menu load, hit F12 then just removed some of the invisible tags.
Glad I could help before it went live live