PG Software Development

[John Robin Dove]

Hi Clifton,

I've mentioned this before but I'm still not sure what I should do. I believe you once said that global variables are vulnerable because Firefox developer tools allow access to them. I have several global variables like school, class and student. I pass these from one DHTML to another in encrypted form via a cookie. At the moment they go from the encrypted form to unencrypted, readable form stored in the global variables. Would it be better not to use the global variables at all and go from the encrypted form to local variables within each action sequence that uses them? I'm asking because using them this way involves rewriting quite a lot of code. I have an .htaccess file in my server root directory.

John

[Clifton]

If you want to keep things secure, just keep you sensitive data encrypted and use a function to encrypt/decrypt them for you. Make sure you store your decryption password as a property of some object that prying eyes would never know what the purpose of it is. I use a session password that is based on the current date and time the user accesses or logs onto the system. So their sensitive progress information is pulled from a database and kept encrypted on the client machine using pgStringEncrypt() using AES encryption and the password depends on the date and time they person pulled their data from the mySQL database.

To make getting the decrypted information for use during the session, I write a function that takes a parameter which is the actual data that is needed. The return value to the decrypted information which is only used temporarily. For example, a student's encrypted score in a quiz could be quickly decrypted and updated, then sent back to the database and re-encrypted. The storage location could be browser cookies, but I prefer to use the browser storage object to store the data and then destroy it when the session is over. The PowerPac cookie functions can use the browser storage object by simply indicated that location as a parameter of the function(s). The advantage of the browser storage object is that you can store complex variable (like arrays, etc.) and there is no realistic limit to data size like there is with file cookies.

You could include this basic function for processing sensitive data. It could be written in an XML file and associated with an object, or it could be added as part of a JavaScript function. The former method is a little more secure because it is hard to trace what the method is even for.

function myStudentData( name, data, pwd, updateWeb ) {
    /* GET SET Session Data
        name = data to get
        data = new data to assign to [name]; automatically gets encrypted and stored or updated
        pwd = string password
        updateWeb = boolean true or empty to indicate the new data should be stored in database
    ***/
    var rtn;
    pwd = pwd || TBK.ssid; //stored session password (generate password on book load and store in TBK.ssid, etc.)
    if (data == null) {
        rtn = readCookie( name, "session");
        rtn = pgStringEncrypt( true, rtn, pwd, 256);
        return rtn;
    } else {
        data = pgStringEncrypt( false, data, pwd, 256); //Encrypt the data before storing it
        createCookie( name, data, "", "session");
        if (type of updateWeb == 'boolean' && updateWeb) {
            //Code to upload to database using XMLHttpRequest()
        }
    }
}

Anyway, from here you can let your creative powers lead you into other ideas. Feel free to share them as I'm always interested in other ideas and ways of doing things.
 

[John Robin Dove]

Many thanks for all this. I had already designed a shared action to convert certain global variables from an encrypted string to readable values returned as a local array parameter. I think this is similar to what you describe, I hope so anyway. I like your idea of a session pasword and will try to apply it. If I ever finish this program I'll pay you to try and hack into it! But don't hold your breath ...