0

I have an HTML page where a user can access a Web API 2 webservice to get some data. This HTML page is not part of the MVC application, but is a standalone HTML page, that can be on any web server or local OS.

Before the user can get the data, the user has to request a token with the following code:

function login()
{
    self.result = '';

    var loginData = {
        grant_type: 'password',
        username: document.getElementById("loginEmailTest").value,
        password: document.getElementById("loginPasswordTest").value
    };

    $.ajax({
        type: 'POST',
        url: 'https://localhost/token/Token',
        data: loginData
    }).done(function (data) {
        self.user = data.userName;
        // Cache the access token in session storage.
        sessionStorage.setItem(tokenKey, data.access_token);
    }).fail(showError);
}

How can I prevent access to a group of HTML pages, such that the user has to have a valid token or logon details before a page is loaded?

Can javaScript be used successfully with a simple cookie or sessionStorage check?

Simon
  • 7,991
  • 21
  • 83
  • 163
  • possible duplicate of http://stackoverflow.com/questions/33992971/setting-up-a-log-in-for-a-website-using-php/33995665 ? – hanshenrik Feb 29 '16 at 02:11

1 Answers1

0

yes. requestHtml.php:

<?php
if(!isset($_POST['token'] || !is_valid_token($_POST['token'])){
header("HTTP/1.1 401 Unauthorized",true,401)
die("invalid token!");
}
$whitelist('foo.html','bar.html','baz.html');
if(!isset($_POST['html']) || !in_array($_POST['html'],$whitelist)){
header("HTTP/1.0 404 Not Found",true,404);
die("HTTP/1.0 404 Not Found");
}
readfile($_POST['html']);

and in the javascript, 

function requestHtml(html){
var token=sessionStorage.getItem(tokenKey);
if(!token){
return false;//no token
}
var xhr=new XMLHttpRequest();
xhr.open("POST","requestHtml.php",false);
var fd=new FormData();
fd.append("token",token);
fd.append("html",html);
return xhr.send(fd);
}
hanshenrik
  • 19,904
  • 4
  • 43
  • 89
  • Is it possible to do the above without using PHP? – Simon Feb 29 '16 at 03:03
  • @user3736648 you can use any language supporting TCP.. PHP is by far the most popular language for doing this. other popular alternatives are Javascript (NodeJS), Python, Ruby, ASP (IIS) – hanshenrik Feb 29 '16 at 03:48
  • 1
    nothing stopping you from grabbing a copy of masm and the winapi handbook and write a server in assembly, though. to quote masm32.com: Not for the faint of heart. If MASM is beyond you, take up server side scripting. – hanshenrik Feb 29 '16 at 03:49
  • Can you please help me with a Javascript link that I can use for some help? I am not sure on what I am searching for. – Simon Feb 29 '16 at 03:54
  • if you want to write the server-sided logic in javascript, check this out http://stackoverflow.com/questions/2353818/how-do-i-get-started-with-node-js – hanshenrik Feb 29 '16 at 03:58
  • Thank you. In the above javaScript code, what is the html parameter in the function requestHtml for? – Simon Feb 29 '16 at 04:45
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/104823/discussion-between-user3736648-and-hanshenrik). – Simon Feb 29 '16 at 04:47