CodeCharge Studio
search Register Login  

Visual Web Reporting

Visually create Web Reports in PHP, ASP, .NET, Java, Perl and ColdFusion.
CodeCharge.com

YesSoftware Forums -> CodeCharge Studio -> General/Other

 WebService written in CodeCharge - Security - CCGetUserID()=0 when not in browser

Print topic Send  topic

Author Message
autefrum

Posts: 9
Posted: 09/07/2017, 5:28 PM Quote message

I have written a few PHP web services to return data stored inside CodeCharge to Excel. Excel calls the web services from VBA using response=Application.WorksheetFunction.WebService(url)

When I am logged into code charge in Chrome, I am not logged into code charge in Excel - this is the root of my problem.

I want to check the user making the call to the web service has permission to access the data. In the web service I try to do this using the CCGetUserId() function and check against the business rules for access to data. This works when I call the web service from my browser, but returns 0 when called from Excel, which is "Correct".

How do i secure my Code Charge web service?

One option is to pass username and password in the calling url, then call CCUserLogin - buy I don't want to pass unencrypted codeCharge passwords in URLs. I would write a custom login function using the SHA256 hashed password and compare this against the login table, but I can't easily generate an SHA256 has in Excel.

Is there some way to get the token from the session in the browser? Is there another way?
View profile  Send private message
DataDoIT
Posted: 09/09/2017, 8:52 AM Quote message

Just so all is clear, you don't "Log into CodeCharge". CodeCharge is
nothing but a tool, a hammer, for helping to create web applications.
I'm sure you knew that, just want to make it clear for others Googling
this thread.

Your interaction is all about the web server (Apache, IIS, Nginx,
whatever), and the client's session with that web server (from Chrome,
Safari, whatever). CodeCharge's CCGetUserID() function merely references
the "UserID" session variable. If there is no session (Chrome, Safari,
whatever), then there will be no UserID value.

For behind the scenes interaction, you need to create some form of API
(https://en.wikipedia.org/wiki/Application_programming_interface_key)
and manage the security of such. That key could be a static encrypted
value, which is decrypted when the web server receives it in the URL.
You'll want to also make certain the communication channel between the
client and the server is also encrypted (ie: SSL/TLS or HTTPS).

Better yet, create an OAuth security channel
(https://en.wikipedia.org/wiki/OAuth) which is much more dynamic and
secure for passing credentials and keys on the open internet.

I know that's vague and leaves lots of questions to be answered, but you
should get the general idea of the web securities involved. Again,
CodeCharge is nothing more than the hammer. How you swing it is up to you.
autefrum

Posts: 9
Posted: 09/10/2017, 5:51 PM Quote message

Thanks for you reply, it helped clarify my thinking. I think I will add a `report_access_token` column to the `users` table, and will regenerate this periodically (perhaps on login, or a daily cron job at 3am, or (most securely) every time a report is produced). When a clicks the 'Produce this report now' link in the Code Charge page, we will look up the users.report_access_token and pass it as a url parameter with the other parameters such as 'Date From'. The code producing the report can then confirm this value matches the real value in the users table.

This token won't allow login, or access to any other data except that report, and it expires, so I think it will meet our security needs.
View profile  Send private message
Oper


Posts: 1177
Posted: 09/11/2017, 6:13 AM Quote message

if you are in a Local Network save the IP of the already login user and time

(IP and Time)

and only allow the WebService to be run if the IP is the same and is log, and the time do not exceed an specific time.

only work in local Network so (we do this and work great)


_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)

http://www.PremiumWebTemplate.com
Affiliation Web Site Templates

Please do backup first
View profile  Send private message

Add new topic Reply to topic Subscribe to topic   


These are Community Forums for users to exchange information.
If you would like to obtain technical product help please visit http://support.yessoftware.com.

Internet Database

Visually create Web enabled database applications in minutes.
CodeCharge.com

Home   |    Search   |    Members   |    Register   |    Login


Powered by UltraApps Forum created with CodeCharge Studio
Copyright 2003-2004 by UltraApps.com  and YesSoftware, Inc.