WEB Xojo security questions

Antonis_Vakondios · July 18, 2013, 5:16am

Hi, I am new of this field and I have some questions:

1)Which code is running on client side and which on server side ?
2)If I use crypto library for password encryption, is it going to transfer clear text on web server and execute crypto on server or crypto lib is executing on client and it transfer encrypted the information to server ? For me, it is not clear which code runs where …

Thanks for your time

BR/Antonis

Zack_H · July 18, 2013, 6:29am

Personally I think this is an excellent question as they haven’t been very descriptive on the matter though what I do know is that what is running the client side seems to be mostly a huge framework with pre-written code of each of the controls which calls back to the compiled code server side on the events in each control.

That’s about all the answers I can offer you, hopefully someone else here is willing to come in and actually debunk the entire thing for us because now you’ve gotten me curious.

Tim_Hare · July 18, 2013, 6:37am

Your Xojo code runs on the server. You can inject Javascript into your page to do things client-side, but your code runs on the server. If you want encryption in the communication between client and server, use HTTPS.

Antonis_Vakondios · July 18, 2013, 6:49am

So, for my understanding … all the code is running on server. No client code …Correct ? What are ever you are typing from the client to server, it cannot be encrypted because there is no client code to do that… So the only way to protect the username and password, it is the used of SSL certification and nothing else… correct ?

Now I have another question… How many callbacks are executing from server to client ? Web Xojo has performance ? Because on javascript , at once the web client download all the needed scripts and only for data update goes back to server. If Xojo needs a lot of times to communicate back to server, it will create delays. What are the best practice to minimize that and also to have a secure web application ? Is Xojo the correct programming tool for web database applications ?

Tim_Hare · July 18, 2013, 7:00am

[quote=20875:@Antonis Vakondios]So, for my understanding … all the code is running on server. No client code …Correct ? What are ever you are typing from the client to server, it cannot be encrypted because there is no client code to do that… So the only way to protect the username and password, it is the used of SSL certification and nothing else… correct ?
[/quote]
Correct.

Xojo can create web database applications. Whether it is the right tool given your requirements, is unclear. Every programming tool targets some specific problem or niche. No one tool does it all. There are always trade-offs. Xojo Web is designed to create a desktop experience in the browser. There are serious trade-offs necessary to make that happen. Out of the box, Xojo requires a lot of communication back to the server. There are ways to extend Xojo to do more in the browser and reduce the communication overhead, but I cannot speak to that as I haven’t done much in that area.

Antonis_Vakondios · July 18, 2013, 7:11am

Thanks for your response,

BR/Antonis

Brad_Hutchings · July 18, 2013, 7:52am

There is latency is web apps. You need to internalize an understanding of how to work with it, rather than letting it clobber you. That’s the art part of web apps. One really nice thing to look forward to… When they get WebSockets working reliably with major browsers, a good chunk of latency that is currently there will go away. Not all, but a good chunk.

DerkJ · July 18, 2013, 2:42pm

You may be able to encrypt on the client side. By using the HTML 5 keygen tag:
http://www.w3schools.com/tags/tag_keygen.asp

ofcourse you would need to create this into the javascript. It’s not build into the xojo framework yet.
But you can make a feature request as it’s an HTML5 tag.

Thom_McGrath · July 18, 2013, 2:49pm

[quote=20933:@Derk Jochems]You may be able to encrypt on the client side. By using the HTML 5 keygen tag:
http://www.w3schools.com/tags/tag_keygen.asp

ofcourse you would need to create this into the javascript. It’s not build into the xojo framework yet.
But you can make a feature request as it’s an HTML5 tag.[/quote]
It’s handy, sure, but Xojo does not have built in encryption. Plus, the javascript framework won’t actually encrypt the outbound data, so there isn’t anything you can do to make use of this.

John_Hansen · July 18, 2013, 7:55pm

And any thing that is made in Javascript on client side can be read and compromised. It’s more common you are using a client certificate authentication.

John_Hansen · July 18, 2013, 7:57pm

Forgot to mention and SSL on server side (https)

DerkJ · July 18, 2013, 8:09pm

i know it’s just hashing a string of data. Would be awsome if some kind of javascript encryption get’s here, but we could do with HTTPS… if only stand alone supported it…

John_Hansen · July 18, 2013, 8:24pm

I don’t know if a standalone app support “HTTP Digest Authentication” if they do.

Instead of using clear text password (Base64 encoded) over https. Use “HTTP Digest Authentication” over SSL. This improve the security a little bit.