I need some help understanding some basic concepts about Xojo Web.
My background:
I am not a professional programmer. I simply have thoughts along the line of ‘there must be a better solution for this problem’ and then I just put my mind to trying to figure out a solution. So for years I used Excel VBA to varying levels of success to create all kinds of projects and Xojo seemed like the next logical step. For the last year or so I have become comfortable with Xojo (to a basic level) to make some nice little standalone programs which a few of my coworkers now use. The end result using Xojo certainly looks a lot better than using VBA. It is now time to take the next step into web apps. I have a specific project in mind for for which I believe Xojo Web + Xojo Cloud will be the answer. However I am worried about security and this worry stems mostly from my ignorance. I keep reading how safe and secure Xojo web is and this may be so but without understanding some basic concepts I could accidentally expose user data from setting up my project incorrectly. From perusing the forums and the small amount of available learning resources it seems like most people using Xojo Web already have a fairly good working knowledge of producing web pages using html,css,javascript & php, which I do not have. I have never set up even a simple web page in my life. To understand some basic concept I have spent some time learning about packets/frames/cookies/http/https/DNS/headers/TCP.IP etc etc. I am not sure any of this is needed to create a Xojo Web app but it can’t hurt.
So anyway my question is as follows:
In a web project there is the app, session, web pages and various other things such as classes etc. My current understanding is that the web pages are constantly communicating with the server and that the actual processing is done server side? If my assumption is correct then where should sensitive variables be located? For example: Lets say I create a web app that I distribute to a few friends where each of them rate the others on a scale of 1-5. Then some kind of calculation is done to work out the best friend and only this ‘winner’ is made known to all of the others. Obviously it would be a big problem if they could access the answers given by the others. So when the web app is created what variables go where to ensure privacy? Obviously the user needs a place to enter the information. So there will be some kind of controls to rate the friends and a button. Upon clicking the button the control values are placed temporarily in a variable… where should this variable go to ensure absolute privacy. In the web page/session/app? And then where is the best place to calculate the results? I am guessing the the app but am not sure. There was a comment I read somewhere that any information in the app is accessible by all users of the web app?
Anyways… if someone can answer this longwinded question for me I will be very grateful. Without this rudimentary understanding of how the web projects actually work I am floundering in even getting started.
Any properties of page or session are private to that page/session. Properties of the app are global, but are only accessible if your code allows. Calculation of the values should be at app level, but the values that the caculation is based on are not available to anyone unless you explicitely expose them. Your concerns seem to be ill founded.
Tim and AlbertoD,
thank you for your replies. After posting my question I went to bed (it was almost midnight), hence my late reply to you. Anyway… I woke up somewhat refreshed and revisited my issue. I think I have figured it out to the point where I can say there are some VERY intelligent people working at Xojo who have created a wonderful tool that allows ‘citizen developers’ or whatever Xojo calls dummies such as myself to create awesome solutions.
Anyway, this is what I did. I am detailing here incase I am wrong then someone can correct me.
I made a little test Web App with a textfield, a button, and a label. The when the button was pressed it simply populated the label with whatever was written in the textfield. Simple stuff. I then ran the Web App and used the inspector in my browser to try and figure out what is going on. I learnt that if I name a control ‘Button1’ Xojo web doesn’t put that name in the HTML, rather it is given some kind of randomized nonsensical name. When I press the button there is a jQuery file listening to every event on the web page. The jQuery itself is completely beyond my level of understanding but it appears to communicate with the server as I see the network activity every time I press the button. I noted the network activity fires only if I have code in the event handler.
From what I can tell there are not any exposed variables on the client side. Every event is sent back to the server where it figures out what to do. In this case change the Label text. It then generates new HTML code and returns that to the browser to be displayed. There isn’t any javascript on the client side directly manipulating the label.
Anyways… this is my current understanding of what is going on. Seems very secure to me and I am happy happy enough with this rudimentary understanding. I am just a ‘citizen developer’ who wanted to just have a basic understanding of what is going on underneath the hood before entrusting personal data to a web app.
Web projects have two frameworks (technically three if you count Bootstrap). There’s a framework built in Xojo code, which you interact with directly and a JavaScript/HTML/CSS framework that runs on top of Bootstrap.
When an event fires, your Xojo code runs, manipulates a few controls and right at the end, all of the controls that were changed are asked to provide their current configuration. In technical terms, they are “serialized” into JSON format and that data is compressed and sent to the browser. The Xojo JavaScript framework receives the packet, and sends the updates to each control for deserialization.
FWIW, the first web framework (introduced in 2010) did exactly what you described, sending whole chunks of pre-rendered HTML to the browser, but the overhead of doing that on the server as well as transferring all that data caused CPU load issues on the server. Moving the HTML rendering out to the clients made a huge difference in performance.
Erm, if you’re going to write chunks of prose like this, it’ll help the reader if you split it up into paragraphs, especially those of us with tired old eyes. Thanks.
It’s possible that I don’t fully understand the problem.
I think the results of each friend’s evaluation of other friends will be sent to the server and will need to be aggregated.
For this reason, I think the page for voting (session) and the page for viewing the results (session) are separate.
Therefore, on the results page, only the aggregated results are sent from the server to the client, so you will not be able to see other people’s individual numbers.
It is necessary to restrict the display of the aggregated results after everyone has finished voting.
This is because if you see the tally when only one person has voted, it is that person’s vote.
In the first place, I think the voted value needs to be written outside the app, such as in a database or text file, rather than in the app’s properties. The app properties will be cleared when you restart the app on the server side.
Therefore, by obtaining limited data tailored to the user viewing the page from some external file, other people’s data may not be visible.
Sorry for not being clear because it was a google translation.
I rarely respond to others posts as I’m just like you a ‘citizen developer’ (more of a hobbyist really) but like you I used to write small apps for the company I worked for using access, vbscript and VB6.
I then found xojo a couple of years ago. I started with small desktop apps but after about a year got interested in the web version. Like you the security worried me though not so much from the xojo side but from my own lack of web knowledge. However I plunged ahead and hit some immediate barriers, first off I could not afford the xojo hosting solution, but had zero knowledge with Linux or any other hosting options.
I tried to set up (and managed eventually) to set up a server at home but the security issues were (due to my own limitations) to great. I then ‘discovered’ Tim Parnells Lifeboat. and found this a great solution for a minimal price as it set up the Linux environment, and took care of the security , ssl certificates etc in a way that even I could manage. Once this was done it left me to concentrate on the apps. I have found that you need to get more ‘creative’ with web app as there are less in the ways of controls and properties/methods for them but still very happy to use it.
One of my web apps is for my local club and was fortunate enough to find one member is a cyber security specialist and runs a full suite of scans against my site on a regular basis and has found it solid. So… after that equally long reply, in summary , if your knowledge is limited follow the xojo guides on thing like sql injection and database settings etc, plus a few other things like ssl certificates, hashing, salting. It should make it harder for those wishing exploit your site. I tend to put most thing into the session and have never had any issue with the wrong person getting access to data they should not be able to.
This is very helpful. Thank you. One quick question. You mention storing the voted value in a text file or database. Where should the text file or database be located? In the App, or separately in a module, or completely outside of the program all together?
Thank you Tim. I shall choose this as the answer. It is short and concise and correct. At first I didn’t understand this was actually the answer. For that I needed everybody’s input. So if anyone else if having similar issues I implore then to read all the comments on this post.
I’m as well interested in this post, I need to have a public facing app and I need that app to be secure. However as we know we have our property status Public/Protected/Private , so what we use where we use , when we use ?
In my case I would like to know how do you protect a page and how that data is stored or kept safe.
There is an example of “Managing user login” but based on that example I did not find even one property or method or control or whatever to be set as Private or Protected , so in this case , Do we need to protect properties / methods / controls in WEB or not as that is super confusing.
I get it that XOJO team showcases functionality but as well we need to consider security in mind. I think @Ricardo_Cruz did an example called Intranet long time ago but was not updated anymore.
I would love to see @Xojo as well providgins some insights and help tips in regard to this matter.
In my case I have 2 WebApps that are on my list, one is used internally and I do care about security but at least it is protected in the network itself, and the second one is publicly available due so some restrictions and it needs to be public so in this case I need to make sure that this app is secure and that no data is leaked from it.
Are you perhaps confused about what Public/Protected/Private means? These refer to whether one part of your application can see/use a method or property in another part of the app. Nothing to do with user-facing security of the app itself.
The only thing that is sent to a users browser is the data necessary for displaying the UI that you’ve specified and for communicating user actions back to the server. Think of it like a dumb terminal. Any Xojo properties, classes, methods, etc stay firmly on the server unless you write them into a subclass of WebControl or WebUIControl, and then only of the property is necessary for helping display the control.
Let’s take WebTimer as an example. It has two modes, server-side and client-side. In server-side mode, nothing is sent to the browser at all. The entire timer exists only on the server. In client-side mode, the Period and RunMode properties are sent to the browser so that it can create periodic events to be sent to the server. In both cases, the Action event fires only on the server and none of the code in that event is exposed to the user.
If you want to see everything that could be exposed, just open the developer tools on the browser while your app is running.
All in all, the rules for Xojo web apps is the same as any other web technology, if you don’t want a user to have access to the data, don’t send it to the browser. The easiest way to follow that rule is to not write private data into any property that is necessary for the display or control of a control, and don’t rely on “Hidden” to make it inaccessible. That will only slow down the newbies.