Hi,

I understand that SSL support is planned for EWB server. Will this be delivered this summer?

Would it be possible to include more examples how to do the following?

1. How to build a logon screen, allow access to other pages when logged in (via sessions?)
2. Using SSL with EWB application via own webserver
3. Use buttons in grids (if possible)

Thank you.

On 7/27/2013 10:29 AM, whoami wrote:
> I understand that SSL support is planned for EWB server. Will this be delivered this summer?
AFAIK there is no ETA provided for SSL support so i would not rely on it
being delivered this summer. Considering stunnel can be used today to
get SSL support if you use EWB web server there is a workaround at least.

> 1. How to build a logon screen, allow access to other pages when logged in (via sessions?)
At this point you have to do it yourself. In our case this is the 1st
screen that loads and server returns a session ID that other requests
include - we just store the session in a common module that all other
forms refer to.

> 2. Using SSL with EWB application via own webserver
If you mean server other than EWB web server then you have to refer to
that web server documents on how to enable SSL. EWB apps are just
html/javascript files you host and optionally web services (which are
just http requests) so once your web server does SSL it is transparent
from EWB side.

Raul

Hi Raul,

Thank you for the helpful answers.

Could you explain more about using a session ID in other forms? An example would be very appreciated

Mike

Raul <raul@removethis.raul.ca> wrote:
>> 1. How to build a logon screen, allow access to other pages when logged in (via sessions?)
> At this point you have to do it yourself. In our case this is the 1st
> screen that loads and server returns a session ID that other requests
> include - we just store the session in a common module that all other forms refer to.

This is an important thing to think about, and the session token is a good
option. The key is that the end user has full access to your source, so can
modify it however they wish. Okay, you can obfuscate but one day you may
slip up, or they may have enough interest to make it worth understanding.
So you have a variable that is IsValidUser to control the main form.
Hacked! Now they have full access.

Only by validating on the server, and then getting something back from the
server that you pass each time you ask for data, or want something done,
will you be secure.

I don't know if the EWB server has such capability. If not, it would be
okay for internal use, but not on the Internet until it does. FWIW I use
the RemObjects SDK which has secure sessions as standard.

--
Matthew Jones

Hi Matthew,

Thank you for the explanation. For now I will stick to PHP sessions then

Mike

<< I understand that SSL support is planned for EWB server. Will this be
delivered this summer? >>

Given the current development schedule, probably not.

<< 1. How to build a logon screen, allow access to other pages when logged
in (via sessions?) >>

An EWB application is loaded once and then stays loaded.  It doesn't have
"pages", and therefore does not require session management like traditional
web applications.

<< 2. Using SSL with EWB application via own webserver >>

Raul answered this pretty well, so please see his answer.  The only thing
required on the EWB side is the https:// for any requests.

<< 3. Use buttons in grids (if possible) >>

What kind of button(s) ?  You can include custom combo buttons in a grid
currently that fire this event:

http://www.elevatesoft.com/manual?action=viewevent&id=ewb1&comp=TGrid&event=OnCustomComboClick

If you have any other questions, please let me know.

Tim Young
Elevate Software
www.elevatesoft.com

Matthew,

<< I don't know if the EWB server has such capability. If not, it would be
okay for internal use, but not on the Internet until it does. >>

EWB doesn't include session management because it doesn't need it.  If you
want to authenticate with the server, you should use secure (https) server
requests and pass the user ID/password each time you wish to authenticate.
You can use a TTimer to determine how often the user ID/password are
scrubbed from memory so that the user is re-prompted to enter them.

AJAX does not support anything other than basic authentication, so the above
is the only way to do things in the most secure fashion (at least
currently):

http://en.wikipedia.org/wiki/Basic_access_authentication

Here's a good discussion on sessions/session tokens and the associated
timeouts that occur with them:

http://www.codinghorror.com/blog/2008/04/your-session-has-timed-out.html

In general, if the client machine is compromised because a rogue
user/application has physical access to the machine/web browser, then no
amount of security in the browser application is going to prevent them from
getting access to the server.  This is why you shouldn't do your banking
online using the free library computers.

Tim Young
Elevate Software
www.elevatesoft.com