2

I have an application which are just HTML Pages. This does API calls from another server to fetch/sends data. Here are my questions.

  1. How are we going to maintain the session of the logged in user? That is, how can we prevent him from accessing other pages without logging into the application.
  2. How do we maintain session timeout at the UI level
  3. Do we need to encrypt the data before sending it? If so how do we do it using Jquery?

Kindly let me know these. Thanks.

Karthik Rajagopalan
  • 147
  • 1
  • 8

2 Answers2

2

My experience working with APIs showed me that using the php session or any code level session handling system seriously reduces the application performance.
This question is a recommended read for your matter.

Have in mind that a Rest Web Service handles requests done by devices or automated clients, not just concurrent human accesses as the server side session might be good for.

To handle authentication and authorization it is commonly used to implement a token based authentication. Oauth2 is a great and wide used 2-factor authentication system in which, your clients got temporal tokens that the API is authorizing.

An auth gives you a strong and flexible security and user based access (roles, priviledges, etc.) that can be used both in server side or client side for protecting resources. And would give elegant solutions to:

How do we maintain session timeout at the UI level

Serve the token with a expired value according with the timeout you want.

Do we need to encrypt the data before sending it? If so how do we do it using Jquery?

It is strongly recommended that the API go under https protocol to protect the data of your users.
Make use of client libraries that support https.

You could sign the client code (browser files) you submit to the client side, so you ensure that the client uses "signed requests" for his token.

Encypting the application data could drive you into huge server bottlenecks when decoding the encoded data sent by your clients.
Have in mind the client is separated, but the server is unique (or a scalable infrastructure in a good case) and decrypting the requests from all the clients (as more clients better)... well, really up to your budget for the server infrastructure and operations.

Hope it's useful.

Community
  • 1
  • 1
Evhz
  • 8,852
  • 9
  • 51
  • 69
0

Answers:

  1. Session can be maintained with the help of cookies. In a single page application, a client always loads your whole app. You can prevent this with some methods but a developer (or hacker) always can pass easily. The only real method is to prevent downloading your whole app without auth mechanism. You may search google with: "single page application authorization"
  2. Use HTTP cookie expiration. And use browser events. You may search google with: "single page application session timeout".
  3. It depends on the data. Does your data need to be encrypted? For authentication data, you have to encrypt. (Use https)

Actually "another server" that sends data to client need to have auth mechanisms. You may search google with: "securing single page applications"

unicorn2
  • 844
  • 13
  • 30
ykaragol
  • 6,139
  • 3
  • 29
  • 56