Question about Alternative User session ?

This forum contains topics that were moved from Get Satisfaction
Sami
Posts: 0
Joined: Mon Jun 29, 2015 9:24 pm

Question about Alternative User session ?

Post by Sami »

(Sorry if my english is bad...)

Hi, i want to use an (self-made) alternative system to work with user session instead of using the Apperyio built-in system.

In fact, i want my users sessions stay active between a login and a logout event.

My logic :

  • Login will check the presence of my users in collection "user_bis" and bring back all user data in local storage.

  • I will use these user data in local storage to identify the user through the different screen of my mobile app.

  • Logout will erase my local storage (except "Favoris data" working in local mode) and bring me back to the login screen

  • The login screen prevent the user to access other screen if login services is not sucessfull

    I don't want to use a session token because of his lifetime and also i don't need to use ACL function cause every data written by the user will contains his id.
    I will retrieve all user data user using this "
    id" (like in relationnal database)

    1 - Can you confirm to me :
    That the user session token is only usefull for the acl function and his lifetime ?
    That i will ever can create, delete and make every operation in my database's collection (except users, file, device) without session token

    2 - According to you, there are any reasons why i shouldn't use this kinf of session logic ?

    Thank you.

    Sami

Serhii Kulibaba
Posts: 147
Joined: Tue Aug 27, 2013 1:47 pm

Question about Alternative User session ?

Post by Serhii Kulibaba »

Hello Sami,

You can add custom column in the collection "users": https://devcenter.appery.io/documenta...

You can don't use acl and just keep userId in local Storage.
Session token is necessary if you use acl, if no - you can ignore it.

Sami
Posts: 0
Joined: Mon Jun 29, 2015 9:24 pm

Question about Alternative User session ?

Post by Sami »

OK, thanks for the answer.

So, i can conclude that my database is secure even if i don't use token to read/write documents :

  • The database api key alone is enough to ensure the security of the database ?

  • Where this database api key is stored on the device when the app is installed (Is the key completely unreachable ?)

    Thank you,
    Sami

Yurii Orishchuk
Posts: 0
Joined: Fri Feb 14, 2014 8:20 am

Question about Alternative User session ?

Post by Yurii Orishchuk »

Hi Sami,

What do you mean by "database is secure"?

If you want to use DB without token - you can not manage ACL with built-it functionality. That is means - every one could access these items(to read or write).

You can only restrict it(on client part) with some logic. For example get items only with certain userId(stored locally).

Api key is only identifier of your DB(every db has it). It could be used for security.

Regards.

Sami
Posts: 0
Joined: Mon Jun 29, 2015 9:24 pm

Question about Alternative User session ?

Post by Sami »

OK, i've finaly decided to use token to add protection to the database cause if i unzip an IPA or APK file, it's easy to find the api key value in the *.js file.

Do you think javascript obfuscation is the only way to add protection in this case or there is another way more secure ?

Thanks

Yurii Orishchuk
Posts: 0
Joined: Fri Feb 14, 2014 8:20 am

Question about Alternative User session ?

Post by Yurii Orishchuk »

Hi Sami,

Api key is not thing for security.

You can obfuscate JS code it will complicate to find key in your code. But it's not a solution in security reason.

You can use appery.io login and then "acl" field to give access to needed users.

Also you can implement Server code that will implement your own ACL to get access to your db.

Regards.

Post Reply