Avatar

javascript security

0

Hi there,

I am using a 5.6 database and my web application allows users (who must log into my website however we do not necessarily trust them) to view my geotab zones on a map. I have successfully implemented the zones onto my map and all is well aside from the security side of things. What is the best way to login to the geotab database in javascript without my password and user credentials being visible in the javascript of the page? I understand that once I am logged in, the security token holds a session id which will allow me to access data without needing the password again. I am currently redirecting my map page to a "geotab-login" page, then redirecting back to the map page. This works ok, the password is not visible in the map page however if someone was to stop the page while it was logging in on the geotab-login page my credentials would be exposed.

What would be the best way to guard my password whilst logging into the database?

Thanks in advance!

 

 

 

Belinda Wallis

Please sign in to leave a comment.

1 comment

Avatar

Hi Belinda,

Here's a couple of things for you to consider off the top of my head:

It's possible to set up an account type that only allows viewing of zones (or other entity types needed for your process) rather than using an administrator account. The security is implemented so that it should not allow interaction with other entity types even through the API. You could use this account to get the data from MyGeotab to ensure that no data can be edited or deleted by users of your service.

Another thing you may consider if security is important, you could wrap the api requests in some kind of server side web service where all communication happens with MyGeotab. In this way you would not be exposing either the login details or session id to a non secure environment. This would have some performance overhead of course.

Thanks,

Steve

0
Comment actions Permalink
Steve Hansen 0 votes