Jump to content

irigsoft

uniGUI Subscriber
  • Posts

    1353
  • Joined

  • Last visited

  • Days Won

    22

Posts posted by irigsoft

  1. 5 minutes ago, Mossy said:

    The issue was only lasted 40 minutes and all are OK now. Some of these apps were running for more than a year. The issue is all apps on different servers and different applications " we 3 different apps on Unigui" stopped exactly at the same time and started working at the same time. It appears to me they were checking something like if they had no licence or something similar. The message was "This site can’t be reached". 

    We did nothing on all these servers except one that we restarted the server which had no effect. However all they started working at the same time.

    We have servers from different suppliers like Contebo, fasthost, goddady. 

    1. I am sorry but this seems like an attack. Is all this server under one domain name ?

    2. Are You using some proxies

    3. We also use unigui servers and no such outages have occurred, in which country are your customers/suppliers?

  2. Hi.

    I add here solution that maybe useful for someone:

    https://www.experts-exchange.com/questions/26933022/How-to-lock-out-a-file-or-path-from-within-a-Delphi-app.html

    question:

    How to lock out a file or path from within a Delphi app?

     

    proposal:

    try this;
    rename the folder you want to test to;
    from:
    New Folder1
    to:
    New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C}

    So, when your Delphi program rans?, it rename back to New Folder1

    rename file code;
    lock folder;
    renamefile(New Folder1, New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C});
    and back
    unlock folder;
    renamefile(New Folder1.{ED7BA470-8E54-465E-825C-99712043E01C}, New Folder1 );

     

    explanation:

    {ED7BA470-8E54-465E-825C-99712043E01C} is one of several special names that the Windows systems recognize and treat in different ways.  For instance, the control panel 'folder' has a special icon and there are some things you are not allowed to do with the folder or its contents.  I think this particular folder identification was introduced in Win7.  Many writers have named it the "God" folder.
     

    more info:

    https://en.wikipedia.org/wiki/Windows_Master_Control_Panel_shortcut

    https://answers.microsoft.com/en-us/insider/forum/all/god-mode-other-windows-10-tips-tricks/9e81e023-9179-4b59-9937-f1e9aab537b4

    • Thanks 1
  3. 34 minutes ago, Sherzod said:

    Hello,

    Can you test this approach for now?

    MainForm.Script ->

    Ext.define(null, {
        override: 'Ext.form.Label',
    
        afterRender: function () {
            this.callParent(arguments);
            if (Ext.isEmpty(this.forId)) {
                this.getEl().dom.removeAttribute('for');
            }
        }
    });

     

    thanks, but now this message is shown

    image.png.1b7c440a10f5a4bc1fb3499033d22f17.png

    and again:

    image.png.989d604bf96ae5b2abbb6613258c5291.png

     

    image.png.50ea20b1f670bed097306a85a25fad31.png

     

    does this code also apply to hidden TuniLabel ?

  4. I just want to extend knowing about why is important to disabling SSL and old TLS version

    How to prevent and repair POODLE attacks and BEAST attacks

    Any server that supports SSL 3.0 and older versions of TLS is vulnerable to a POODLE attack. Modern versions of TLS are safe, and today's browsers block sites that use old versions of TLS (1.0, 1.1). A server configured to support only newer protocols (TLS 1.2, 1.3) prevents the possibility of a POODLE attack.

     

    This information is also for those who think that using https is quite enough to protect their web applications !

  5. @Sherzod, did You can share with me Is it possible to protect (some how) my StandAlone application from Session Hijacking .

    I know methods like: using VPN, not using open Wifi, don't open suspicious emails, but there all is from User Side and I don't have control over it.

    I need some methods that I can apply on Server APP.

    1. I have protection from XSS

    2. I already use Session Restriction like srOnePerIP/srOnePerPC

    3. I already use short time of SessionTimeout

    4. I have https

    now I need: https://www.linkedin.com/advice/1/what-best-ways-prevent-session-hijacking#monitor-and-audit-sessions

    1. to check User's data when session is opened and work with it!

    2. Set SessionID Coockie = Secure and HTPPOnly

    Or You can just tell me: "We have Session Hijacking protections, You need to do this ......"

     

  6. 1 minute ago, Sherzod said:

    Strange, in principle this should always return the actual "IP".

    Yes, I know.

    1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);
    begin

    mInnerSessionID := UniSession.RemoteIP;

    end;

     

    2. When I use this on TUniServerModule.UniGUIServerModuleHTTPCommand

    begin

    sSessionID := ExtractSessionId(ARequestInfo.UnParsedParams);
     

      SessionManager.Sessions.Lock;
      for I := SessionManager.Sessions.SessionList.Count - 1 downto 0 do begin
        Try
            U := SessionManager.Sessions.SessionList[I];
              // Check mainModule availability. Some sessions may not have a MainModule instance
              if (U.UniMainModule <> nil)
              then begin
                    //Access custom MainModule variable
                    if (U.SessionId = sSessionID) then begin
                        TUniMainModule (U.UniMainModule).sInnerSessionID := ARequestInfo.RemoteIP;
                    end;
              end;
        Except

        End;
      end;
      SessionManager.Sessions.Unlock;
    end;

    end;

     

    3. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;   var Handled: Boolean);

    begin

      if (mInnerSessionID <> sInnerSessionID ) then begin
              Handled := True;
              TUniGUISession(ASession).Terminate ('Session is closed');
      end;

    end;

     

    then this work !

    This is slowdown the server when I have more then 50 active session, so I search solution without using TUniServerModule.UniGUIServerModuleHTTPCommand

  7. 43 minutes ago, Sherzod said:

    Are you using a mobile device? If so, which device, browser? And what application do you use: mobile or desktop?

    I try it with mobile device Samsung (Android 10 Chrome + WebView), RedMi (Android 10 Chrome) , Lenovo Tab 3 (Android 5.0 Chrome)

    I use uniGui Proffessional 1551 and Desktop StandAlone Application for Server

  8. Hello,

    How to make some protection from Session Hijackas is explaned here: https://www.linkedin.com/advice/1/what-best-ways-prevent-session-hijacking#monitor-and-audit-sessions?

    Is there a way to protect the app from session token theft?

    here https://www.imperva.com/learn/application-security/session-hijacking/

    they talk about how to protect the user with:

    Prevention is the most effective strategy against session hijacking.

    For users, this includes basic security practices such as avoiding public Wi-Fi for sensitive transactions, using VPNs, and keeping software up to date. It’s also important for users to be aware of phishing tactics and to understand the importance of logging out of sessions, especially on shared computers.

     

    but how to secure communication between server and client?

    Is it somehow possible to:
    1. We get the session ID generated when the session was opened

    2. We get some user data that is unique to this session

    3. Add some variable from the server

    4. with points 1 + 2 + 3, we create a unique token for this session and its user data


    So when someone tries to use a hijacked session id, the server knows about it?

    like here is explained:

    For web developers and organizations, prevention requires a more technical approach. This includes implementing HTTPS across all pages, using secure cookies, and adopting robust session management practices.

    ......

    Developers play a crucial role in preventing session hijacking by building security into their applications. This includes:

    Additionally, developers can utilize custom session handlers that store session data more securely and regenerate session IDs after a successful login, further reducing the risk of session hijacking

     

  9. 11 minutes ago, Sherzod said:

    So, were you able to achieve success?

    No, I don't know why but when creating the new session the RemoteIP is for example 123.123.123.123

    After I change the network (from Wi-Fi to Mobile they are from different operators) and try to keep working with my StandAloneApp,

    through the function TUniMainModule.UniGUIMainModuleHandleRequest I check what is TUniGUISession(ASession).ARequest.RemoteIP, it is always the same (123.123.123.123) as when opening the session.

    I think the RemoteIP should change but even after 5 minutes it still hasn't, and session is still Alive!?!

     

    @Sherzod, I must to say that I change network to User's mobile device, not at Server !

  10. 28 minutes ago, Sherzod said:

    This post may help you:

     

    Thanks, but this not work.

    RemoteIP is always the Same !!!

    My code (uniGUI_runtime_1.90.0.1551 - Proffessional) :

    1. procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject);
    begin

    mInnerSessionID := UniSession.RemoteIP;

    end;

     

    2. procedure TUniMainModule.UniGUIMainModuleHandleRequest(ASession: TObject;   var Handled: Boolean);

    begin

      if (mInnerSessionID <> TUniGUISession(ASession).ARequest.RemoteIP) then begin
              Handled := True;
              TUniGUISession(ASession).Terminate ('Session is closed');
      end;

    end;

  11. My case is this:

    1. The user is connected to public Wi-Fi

    2. a new session is created and the server knows from which remoteIp

    3. after 15 minutes, as the User works with the open session, the Wi-Fi signal is lost and automatically connects to a mobile network on his phone

    4. The session has not timed out and the session has not been terminated, but the user's IP address has already changed.

    I need to know when point 4 happens, is this possible?

     

    I try via TUniMainModule.UniGUIMainModuleHandleRequest

    get it from TUniGUISession (ASession).RemoteIP, but the IP doesn't change, the RemoteIp is always equal to what we started the session with !

    is there some Global variable that collect this information ?

     

  12. 1 minute ago, Sherzod said:

    Sorry for late response.

    One possible solution:

    1. UniEdit1...

    function keydown(sender, e, eOpts)
    {
        var customVar = ajaxRequest(sender, 'getCVar', {}, false).responseText;
        alert(parseInt(customVar) + 5);
    }

    2. 

    procedure TMainForm.UniEdit1AjaxEvent(Sender: TComponent; EventName: string;
      Params: TUniStrings);
    begin
      if EventName = 'getCVar' then
      begin
        // Instead of 10, "any variable"...
        UniSession.SendResponse(10.ToString());
      end;
    
    end;

     

    Thanks I will try it.

    • Upvote 1
  13. 5 hours ago, Sherzod said:

    Hello, 

    Can you please explain in more detail? 

    Hi.

    uniMainMOdule

    public

    ReplacePswCnt : Integer;
     

     

    1. FormCreate

    ReplacePswCnt := 5;
     

    2. uniEdit.ClientEvents.ExtEvents.Values ['keydown']

    image.thumb.png.384809efc9b200d5e7fafdecd35c5a54.png

     

    3. I enter some key and result must be (ReplacePswCnt + 5) = 10:

    alert ('key=10');

     

    4. result

    nothing is happening  !

     

     

  14. 7 hours ago, Norm said:

    How to detect that the browser is alive but idle because the user is not doing anything.

    if the user does nothing then i also close the session if no answer of question

    My idea is to keep a small amount of sessions active, so if I don't get a response, I terminate that session.
    If the user works in the system, each of his actions resets the counter for displaying the message, so the time until the message is displayed starts running when there is no activity

  15. 44 minutes ago, vbdavie said:

    That is triggered by a uniTimer event. That means it WONT work, if the browser went dead/asleep.

    Because server send ShowMessage with callback, then server can wait client to answer. At this point i set Y seconds to wait from answer, if no answer then server kill session.

     

    This works even if the browser tab is closed!

  16. 1 hour ago, vbdavie said:

    Which server setting controls this "automatically terminated after a short interval"? My hibernated sessions end up going for 24 hours. My session idle timeout is set for 24 hours. In this case, i don't seem to have a way to kill the session earlier.

    UniServerModule.SessionTimeout this is how many miliseconds server will wait for answer from client. (on client side)

  17. 34 minutes ago, vbdavie said:

    yes, irigsoft said he asks a question every 15minutes. That is triggered by a uniTimer event. That means it WONT work, if the browser went dead/asleep.

    Right?

     

    DAvie

    You not understand my logic.

    I have 3 time period expired:

    1.  Session Ajax request - uniServerMоdule.AjaxTimeOut

    2. Session Timeout - uniServerMоdule.SessionTimeout

    3. Time to wait answer from client (Y seconds) and then if no answer (If browser is dead) a Server kill session.

       3.1 I have settings how many time for one hour to ask from user answer of "Are You there" ?

       3.2 I have settings how many seconds will wait from this answer before kill session

    So try my code and please write results.

    uniTimer event is Server Side event, so I don't need answer from client to kill session.

     

    I will give you  point 4. Try to save in database Session_ID when open session, then on every X minutes/seconds just kill it !

  18. 3 hours ago, vbdavie said:

    The TuniTimer REQUIRES that the BROWSER send the timer event. So if the browser is non functional (frozen/hung/asleep/hibernated) then your mainform will never get the timer event

    "TuniTimer REQUIRES that the BROWSER send the timer event" - I thing this is not true ! Because if you try to set uniTimer.Chainmode = False then no action will execute. I have on MainForm uniLabel that show every second Date/Time from server. If no server then no label.caption will be changed, this is because action start from server and go to client.

     

    Try my proposal and see that is not like You thing.  That is because Server wait Y seconds and close if no action from user

×
×
  • Create New...