Verify user,password and open menu of rpgs - db2

I have a login module in my application of AS400(rpg400).Here user name and password are verified and only if password matches the user is given access to the Menu screen which further contains rpg programs to navigate to subsequent modules.
What i now want to achieve is when the user is verified, the logged in user name must appear in every screen or rather every rpg screen called.(ie user session must be maintained)Please refrain from guiding on admin properties.This is from a low level point of working.
Below is a PF on users:
USER PF
A R USRREC
A USER 10A
A PWD 10A
A USRTYP 2A
A K USRTYP
Keyed on user type.How can i allow the logged in person's variable accessible to all pgms?

5250 displays aren't like HTML. There's no CSS that can be used as a standard template. You will need to specifically design every display to make it look the way you want it to. For this specific question, that means that you will put a user ID field on every display panel you want to see it on.
If I were designing this, I'd probably pass the user ID as a parameter to each RPG program, but there are many ways to pass information around.
Data area in QTEMP
Database file in QTEMP
LDA
User space in QTEMP
Environment variable (*JOB)
Passing the user ID as a parameter has the advantage that there is never a stale object that needs to be cleaned up. If a person has two user IDs - say she works in Accounting and Accounts Payable - and needs to sign off and back on to this internal security system, subsequent CALLs simply pass the proper parameter.
All of this could be avoided if the system could use the built-in IBM security. Then you could use the user profile that is part of the job name - see the Program Status Data Structure, positions 254-263 to get that within an RPG program. If you could use the IBM user profile, you wouldn't have to pass anything around; each program would be able to retrieve that information on its own; I'd put that into a service program so it's easy to reuse.

Sounds like an ideal use for the local data area or a regular data area created in QTEMP.
RPG: Data Area Data Structure
RPG: Data-Area Operations

If you are using the same user ID that they used to log onto the system, then you can use the USER keyword in your display files.
Do you really need to store user ID and password in a file that is inherently less secure than the way the operating system does it already? This opens a set of issues that you probably don't need to touch.
You can call a CL program or procedure which can use the CHKPWD command to enter their system password. Monitor for an error, and sign them off if there's a problem. Their password is secure (assuming you are using an SSL connection).
If you feel very strongly that you must have a separate password, consider storing a secure one way hash of the password. When they later enter their password, compute the hash on what they enter and compare it to the stored hash.
If you are asking users to enter a password after they are already logged on, then it seems safe to assume you are trying to address some security concern[s], so it seems reasonable to try to help you do so in a secure manner. This is a start.

Related

How to linking a users data to his future account at the time of signup in Stitch

I would like to use Stitch to sign up users. Each user must have a unqiue email and a unique user-name.
This is important for applications like chats or forums, where users should not be forced to reveal their email when communicating.
I already implemented login with email and password as described here: https://docs.mongodb.com/stitch/authentication/userpass/#authenticate-a-user
The problem is:
How to securely save a user-name on signup? I could store a users desired name in a collection and merge it into his custom user data after initial login. In order to do that, I would need to grant the user write privileges to whichever collection holds pending names. This is unsafe, since he could now change the name after the fact or even change other peoples names while they are pending.
The user needs to choose his name at the time of signup. At this time the user is still logged in via anonymous credentials. Hence, I can not restrict users to changing only their own data since they are at this point sill anonymous. I see no way of linking a users data to his future account at the time of signup. Any idea to change that?
It would seem strange, if stitch lacked the functionalities to easily sign up users with a unique name/handle in addition to email address.
I haven't used your exact software but in general I would approach the problem as follows:
When someone starts using the application anonymously, create a user object. The user at this point does not have a reserved (i.e. globally unique) user name, or email address, etc. But the user still has an internal identifier.
Associate user-visible state with the user object. This could be done through server-side sessions or signed cookies. (Unlike unsigned cookies, cryptographically signed cookies permit server to store what would otherwise have to be stored in the server-side session in a cookie, and trust that the client hasn't tampered with the information by e.g. changing the user id).
When user registers, set the user name, email address, etc. on the existing user object. User id remains the same and allows the user to continue to have access to their anonymously-generated data.
Have a process for deleting anonymous users that don't register after some time.

Is it possible to manipulate the database through mail in oracle apex?

I was having the similar problem as mentioned in the below link, Select and Display the table in oracle APEX mail body. I followed the mentioned steps and it worked!! .
Now, I just want to extend the same question and wanted to know, Is it possible to manipulate the the database through click on the button in the mail?
If I crate the html Button APPROVE, It should be able to manipulate database table.
Suppose, APPROVE performs delete operation: delete ename from emp where dno=10.
VERSION : ORACLE APEX 4.2
If you are sending an HTML email to a user and you want that user to interact with the system from the email, you could generate an HTML form that submits to a particular URL (some APEX page with some set of parameters) that actually implements the DELETE.
Assuming that the client email application would allow the user to submit a form, which would generally be a security issue and would probably not be possible from some clients, you'd probably have security issues to worry about on the server side. I'd assume, for example, that you don't want to allow any random person that works out the URL to call to be able to delete whatever row you want from your system. You probably want to require that someone is logged in before you'd allow them to delete a row. And you probably want to make sure that they have permission to delete that particular row.
It's certainly possible that you could work around both the client and the server side permission issues by doing something like creating a unique token that expires after a short period of time and gets passed in with the form to verify that the user has permission to delete that particular row. But by the time you're building that sort of infrastructure or sending users to a login page, you're probably better off just creating links in your email that point to a page in your application and letting users go there to request the actual delete. That's going to work more reliably than a form that submits a request and it will probably involve less work for you.

How do I secure pro membership features in a Chrome App?

I need to know if an installation has been paid for in the past so I can provide some premium features.
Storing a payment flag in indexeddb or the file system sounds easy to defeat. Periodically asking a server and caching the response could do the trick, but I guess the user would have to be logged-in at all times (through google or otherwise) and I'd rather not impose that restriction.
Maybe if there's a way to uniquely identify a user's machine (uuid, mac address, etc) that could allow me to determine if they've made that payment?
Ultimately, this is client side JavaScript. The only means by which you can prevent use of certain features, is to put them on your server and charge for the service.
Some weak methods for preventing access include license validation, and asking the server for non-essential information (if it was essential, then see the above).
For license validation, you could create an algorithm that takes data from the user and transforms it into something else. For example, say they create an account on your website, which your server knows is a 'pro' account. You could then take their first name and email address and do some magic on it.
Here's a simple example that takes those inputs and gives us a key. In this example if our first name is "John" and our email is "john#domain.org", then our key will be fcumnflqjpBfqockp0qtifcufLqjp. However, Tony, with the email "tony#doman.org" would recieve fcumnfvqp{Bfqockp0qtifcufVqp{
You can send this key to the user, and have your code decide whether it can extract the name and email by applying the reverse algorithm.
You can reverse the strings, do various bit math, etc. It's security by obscurity. Other than an account, this is the most common method. It's used by nearly all offline software. Its kryptonite is key generators, which reverse engineer your code, and generate keys by the algorithm you use to verify them.
All the methods such as uuid, mac address etc can be easily forged imo. I think you cannot escape keeping track of user's logged-in status. Implementing something like a cookie based mechanism would be the right way to go.

Password/Authentication for users inside App on iOS

my goal is to give my customers an option to lock their App's Data, so when they give their iPad/iPhone to someone else for an extended period of time, users can't access or accidentally look at confidential data.
[Some Background: It's a medical Application where physicians/staff-members would give iPads to patients. Now the patients are supposed to access some contents, yet shouldn't be able to look at other patients data]
So far, I have a password inside my App. But when a staff-member forgets and wants to reset it, the only thing I can do is "deletion of the whole database". I have a Disclaimer telling people to store their password somewhere, but this is still not the optimal user experience.
Is there anyway I could authenticate the user via his Apple-Password? This way only the person knowing the Devices-Account password can access the data and can always reset the Apple-Password with Apple.
PS: Server-Solutions, like having a User-Password pair with reset-via-mail on a server of mine is out of the question, since it would add to much complexity for the users and in many medical situations the Device shouldn't have access to the web.
Multiple thoughts:
I am not aware of any native public API to authentication using Apple password.
If your app is enterprise app, possibly you can use native private API. I would recommend to disassemble AppStore and check how does it do authentication then
You can also to try to access to some Apple web page which requires authentication and pass to it apple account and password and see what it will return. If it authenticated correctly, then you are fine and you can reset a password.
To make it secure, you will need to ask a user to enter it for a first time, so you can encrypt your encryption keys using authentication material (so you can decrypt encryption key later on).
However, I am not very big fan of this solution, since you can change Apple password and you will be stuck in such case.
Server solution is the best option and it's not that complex. Another option is Forgot password. You ask something what administrator know ("What is your first pet?") and he enters the answer when your application is configured and this answer could be used later to unlock your app.
P.S. And the best solution at the end (which is absolutely shameless self advertisement). A startup which I am part of (SpydrSafe) works on the product which solves exactly your problem. In fact, healthcare is one of the verticals which whom we actively works. If you are interested, contact me (my email is in profile)
if you authenticate the user via apple password, and they forget their apple password, then in order for them to retrieve that password is by reset-via-email .... so either way you are stuck with that dilemma.
As for actually using your apple password, no.
Best way to get what you want is to have the password stored somewhere in real life. Like another computer that the doctors can report to and ask for passwords or just don't forget the password.

iOS identify user(s)

I am building app that will serve some content to the users via my private server. At the server-side I would like to identify user, so that I don't serve same content twice to the same user. How can I identify user(s)?
One way is DeviceID, but user can have multiple devices...?
Is the only way to have my own user IDs for my application (registration). I don't like this as it adds extra complexity to the app.
I know it's a hard task, but maybe facial recognition (from the webcam) could help in logging in users, since it doesn't imply any relation between user and device.
For example, face.com offers a free web-based API for facial recognition.
Although, Ishu's answer (username/password) is the easiest and most standard way to do identify users.
Make an id for user's and also a login page in the app. save his id with in you content table for send that content for that user. if that content entry already having his id then don't send to him otherwise send to him.
I don't think there is another option. You must use user id nothing else.