autefrum
Posts: 9
|
| Posted: 09/07/2017, 5:28 PM |
|
I have written a few PHP web services to return data stored inside CodeCharge to Excel. Excel calls the web services from VBA using response=Application.WorksheetFunction.WebService(url)
When I am logged into code charge in Chrome, I am not logged into code charge in Excel - this is the root of my problem.
I want to check the user making the call to the web service has permission to access the data. In the web service I try to do this using the CCGetUserId() function and check against the business rules for access to data. This works when I call the web service from my browser, but returns 0 when called from Excel, which is "Correct".
How do i secure my Code Charge web service?
One option is to pass username and password in the calling url, then call CCUserLogin - buy I don't want to pass unencrypted codeCharge passwords in URLs. I would write a custom login function using the SHA256 hashed password and compare this against the login table, but I can't easily generate an SHA256 has in Excel.
Is there some way to get the token from the session in the browser? Is there another way?
|
 |
 |
DataDoIT
|
| Posted: 09/09/2017, 8:52 AM |
|
Just so all is clear, you don't "Log into CodeCharge". CodeCharge is
nothing but a tool, a hammer, for helping to create web applications.
I'm sure you knew that, just want to make it clear for others Googling
this thread.
Your interaction is all about the web server (Apache, IIS, Nginx,
whatever), and the client's session with that web server (from Chrome,
Safari, whatever). CodeCharge's CCGetUserID() function merely references
the "UserID" session variable. If there is no session (Chrome, Safari,
whatever), then there will be no UserID value.
For behind the scenes interaction, you need to create some form of API
(https://en.wikipedia.org/wiki/Application_programming_interface_key)
and manage the security of such. That key could be a static encrypted
value, which is decrypted when the web server receives it in the URL.
You'll want to also make certain the communication channel between the
client and the server is also encrypted (ie: SSL/TLS or HTTPS).
Better yet, create an OAuth security channel
(https://en.wikipedia.org/wiki/OAuth) which is much more dynamic and
secure for passing credentials and keys on the open internet.
I know that's vague and leaves lots of questions to be answered, but you
should get the general idea of the web securities involved. Again,
CodeCharge is nothing more than the hammer. How you swing it is up to you.
|
|
|
|
autefrum
Posts: 9
|
| Posted: 09/10/2017, 5:51 PM |
|
Thanks for you reply, it helped clarify my thinking. I think I will add a `report_access_token` column to the `users` table, and will regenerate this periodically (perhaps on login, or a daily cron job at 3am, or (most securely) every time a report is produced). When a clicks the 'Produce this report now' link in the Code Charge page, we will look up the users.report_access_token and pass it as a url parameter with the other parameters such as 'Date From'. The code producing the report can then confirm this value matches the real value in the users table.
This token won't allow login, or access to any other data except that report, and it expires, so I think it will meet our security needs.
|
|
|
|
Oper
Posts: 1195
|
| Posted: 09/11/2017, 6:13 AM |
|
if you are in a Local Network save the IP of the already login user and time
(IP and Time)
and only allow the WebService to be run if the IP is the same and is log, and the time do not exceed an specific time.
only work in local Network so (we do this and work great)
_________________
____________________________
http://www.7bz.com (Free CMS,CRM Developed in CCS)
http://www.PremiumWebTemplate.com
Affiliation Web Site Templates
Please do backup first |
|
|
|
|
