Web security


I’m not really a web programmer, but if I did some web programming, it was a little PHP on the side. So about security:
When logging in, I would use a session (like in Xojo ofc.) but at the beginning of every restricted (behind login) page I would do something like this:

If($_SESSION(userloggedin) … show page Else echo “not logged in”

I cannot see something similar in the Xojo webapp login example. Is this not necesary in Xojo?

In this situation:
I have a loginpage and a restrictedpage. On the loginbutton there is some authentication code and if true this code: restrictedpage.Show

Can a user ever access restrictedpage without clicking that button? If yes, do I have to secure every page.open and every action within that page? Like button clicks and so?

Thanks for clarification.

Xojo Web apps are single page apps (SPA) so all traffic after the initial load is http requests from the javascript at the client layer. All requests are forwarded to the backend via a unique URL matching the session ID. By the time your page/container/control/Session is notified of an event it has already been mapped to the appropriate session.

For authentication you would bolt on top of that by adding say a LoggedIn property or a User property that is Nil when not logged in. There are many different approaches but suffice to say anything extra you want to add to a session to delineate anonymous user from logged in user would be appended to your Session object.

I have a couple of web apps with login and access restrictions based on roles and specific user authorizations.

Basically, you maintain the security model in a database (or other recipient: flat fil, etc.) and you have a method that checks from your menu or from the control that requests a new page, whether the user has rights and if so, which explicit authorizations (display only, edit, create, display for a region only etc.) You build the security according to your needs. Then, you either call a specific page, or filter the data visible in the page according to the authorizations that you determined. There are a few threads on the topic where you can get inspiration.

In order to ensure that a user cannot call a restricted page or any page other than what the business process calls for, do not use implicit instance. This way, each page is opened on request. With implicit instance, all pages exist already and are loaded. One could ask for them by name if one knows how to do it.