I have Oracle APEX 5.1 and Oracle Forms 6i installed.
Now I am wondering how can I call Oracle APEX application from my Forms menu.
Option 1: Full URL to aplication + parameters username/password - not safe
Option 2: Full URL to aplication log in - not elegant.
What I am looking for is function that will take parameters username,password, aplication ID, ... and return full URL to aplication.
Is that possible / best approach?
You would probably do best to look at a new way of authenticating that avoids needing the password altogether, yet remains secure. One way is to call a procedure from the Forms application that generates a single-use, short-lived token specific to the user, then pass that token to APEX along with the username. The APEX authentication scheme then checks that the token is current and valid for the user, and if so allows access.
For example, the token could be generated as a random string, and stored on the user database record in hashed form (combined with the username as salt) along with a timestamp of when it was generated. The authentication scheme checks that the token passed is the same as the one on the user record and that the timestamp on the user record is within the last N seconds. It might then reset the token to NULL in the database. The key point is that it must be "impossible" (read: very hard) for anyone to guess what the token is even if they can see the hashed value in the table.
Related
I have a .Net 6 application. I would like to persist some data to the user session and thought claims is probably an easy way to do it.
As far as I can understand this is the correct way to add claims to the user after the initial login.
var claims = new List<Claim>
{
new Claim("claimType", "blabla")
};
context.User.AddIdentity(new ClaimsIdentity(claims));
If I check the Identities before that request ends there is a new record added which contains the claim I created. But upon the next request to the server it is gone. Only the original Identity is there again.
The value I want to add is calculated during runtime and can't be created during login. I could add it to the database but I REALLY don't want to as I need to check it on every request.
What might I be doing wrong? Or any suggestions to alternate ways to store the information?
Update 1:
Because it might matter, we use an external identity provider and token based authentication to a .net 6 api.
I am using TDD to implement APIs for an authentication system in Laravel. This system uses the one-time-password (OTP) method for authentication. In the first step, an OTP token is issued for the user and stored in the session. In the second step, the server receives a request containing an OTP token from the user and checks if the received OTP token is identical to the one stored in the session.
I have written a test for a scenario where the user sends an invalid OTP token to the server, but I don't have access to the server session in the test, so I cannot compare the invalid token against the session value.
Is there a better way than using sessions to implement this? Is there a solution to access the server session in the test?
Thank you all.
Database
Add a column to the users table for OTP
Step 1:
generate OTP and issue to the customer
Store OTP in database
Step 2:
Server receives request from user with OTP
compare against value in database and delete from database
Pros: Simple to setup
Cons: Additional database queries and need to remember to delete it even if after issuing OTP to user request from user is never made
Cache
Step 1:
Generate and issue OTP to user
Store OTP in Cache
Cache::put("otp-{$user->id}", OTP, now()->addMinutes(5));
Step 2:
Server receives request from user with
Check against the value in cache
Pros: Simple to setup and OTP can be destroyed automatically
Cons: Cache management becomes vital area of application
Need to call a RESTfull webservice from Informatica powercenter. it has a never expiring token for authorization.
Tried calling the webservie using HTTP transformation and passing the access token in the header. it works fine and webservice returns the result. But everyone can see the token once mapping is checked out.
How can we manage the token, store in encoded format or is there a away to create application connection to store the token ?
Here is what we do in Informatica world to protect the sensitive data like password and so on.
You store the value in a file and put it inside a folder.
Make the folder invisible / restrict access to read only for that informatica unix user and rest users have 0 permission.
Once it is done, create a parameter in the file and use that file as a parameter for the informatica mapping, so when ever the mapping runs, it will go and pick up the parameter from the file, which the informatica user can only read, and run the mapping .
This prevents
1. Hard coding sensitive elements in the mapping
2. Hiding the sensitive data from all other Unix users other than Informatica unix user, thereby protecting the data
Here is the situation, I have setup 2 codeigniter installation.
One will be a client and one will be an api. Further improvement of this will be
The client will no longer be made from CI, since I wasn't using it's functionality. I just wanted to start out from a mvc framework right on.
My question would be where should I be storing sessions? during logins.
Below is how I did it, but I think I did it wrong.
I created a Login from the client. This one sends the login credentials to the api and then validated these information sent by the client and will return a message/response whethere the login credentials were valid or not.
If the login details were valid, the api will set a session in it's controller like this
if(true) {
$this->session->set_userdata($array);
}
This is in the login_controller I created. Is this the proper way of setting sessions for a client of a api?
You've got the concept right. You only want to set session userdata upon verifying the user supplied valid credentials.
That said, make sure you're using encrypted cookies and, if you're handling sensitive data, store your session data in the database. Storing it in the database causes some odd quirks with how sessions work in CodeIgniter (mainly with flashdata), but the added benefit of positive identification might potentially be worth it.
By storing the session data in the database, you can more positively verify a user is who they claim to be (in terms of the session ID, etc). The reason is because the session data is stored only in the database, and not in the session cookie (which only holds session ID and some other info). That way, even if someone does manage to decrypt the cookie, they can't modify their userdata to pretend to be someone else, like you might be able to with the cookies only method.
I'm working on developing a page that pulls data down only via ajax:
http://itprojectguide.org/projectmatrix/itprojectguideprojectmatrix.html
the page currently pulls a status json data file.
To authenticate I'll be adding a preliminary signin (user name/password) and I'm thinking about doing the following to ensure a valid logged in user is present:
when signing in, send the user ID, and md5 hased password - the server will return a encrypted string containing User ID, signin date, level
I will pass this encrypted string to all pages, each page will send the string and page type to the server - the encrypted string will be validated to ensure valid user and that the user has signed in within the last 24 hours (based on the date). Data will be returned based on the user's level and the page that the user is on + any page specific data (say date range or company ID depending on the date)
Will the use of the encrypted User ID, signin date, level ensure proper security? I'm looking not to use cookies...is there a better way?
Part of this effort is to use ajax/json only interaction to retrieve data for each page instead of rendering it on the server..
Since you are rolling your own session management logic, you need to ensure the following:
The string returned by the server after authentication is not guessable. You might be encrypting it to prevent tampering, but you also have to account for replay and hijacking attacks. It is for this purpose that most session IDs are generated using PRNGs.
The string is protected during transmission. It depends on what value you (or rather your customers) assign to the data in the application. If the string can be snooped from the wire leading to significant business damage, you should look at HTTPS.
Sessions eventually should expire. The longer the session is active, the greater the chance for it to eventually be discovered.
You might consider using a One Time Password:
http://en.wikipedia.org/wiki/One-time_password
Also, if you can't run things over https you might piggyback on top of various OpenID providers' HTTPS, at least for the initial login to get the session cookie.