Web page security without using the framework – General Web Development – SitePoint Forums


Suppose I want to keep my webpage very simple and lightweight by forgoing the use of any front-end frameworks such as Angular, React, Vue, etc. and without the use of a full-fledged backend framework such as ASP.Net, Spring, PHP, etc. Is it possible to adequately secure my webpage using only a web API and database? If I choose only DotNet Web API but not DotNet MVC and use some sort of database, I think I can provide some level of security by authenticating users login against their credentials stored in the database. I can also filter user input on the frontend using JavaScript and C# on the backend.

However, is it possible to prevent two or more people from using the same ID to log in simultaneously? I can attempt to prevent concurrent logins by storing a user’s login status in the database and providing no data to populate a webpage if the login status is active. I may also have a column on the database called Login Duration Allowed which is a number that indicates how long a user can stay logged in and a column called Login Duration wh. The value of allowed login duration can be set by the user and once the user has stayed logged in longer than this number or logged out, the Login Status column in a database table will have the value Idle and the connection duration will be set to zero. When the login status has a value of inactive, users will need to login again and once they do, the login status will be set to active again and the login time will also start counting again. Not sure if this is adequate security, please advise.

I’m a bit confused as to what you are asking. You say you don’t use a “backend framework” but mention backend languages ​​and frameworks together (PHP is a language, Spring is a framework while something like Codeigniter is a framework built on top of PHP). Do you see how it works?

You write web-based C# code through a framework like ASP.NET that provides you with the bridge of handling an HTTP request through code that was not originally designed to be web-based (C#). A framework can also be a simple set of rules used to standardize, simplify, and secure the code that is written. In exchange, you sacrifice some flexibility to do anything.

Can you write HTML code that submits data to an API endpoint? Sure. How that endpoint then takes the data and processes it is usually based on some sort of framework or language that understands HTTP data and what to do with it. C# needs something like ASP.NET, but PHP was designed to be a web language, so it doesn’t need a framework at all. You can write a standalone PHP script and handle all processing and security of that data.

Regarding your questions related to logins, you usually use something like “sessions” which keeps a user isolated from each other. You verify that the user is the correct user by matching their username and password and, if passed, you create a unique session for them which they then use to view material relevant to them uniquely. Again, depending on the technology you’re using, this may or may not be handled by a framework. PHP again manages sessions as a core feature of its language and you don’t need something like Codeigniter or CakePHP to manage sessions for you.

But frameworks are commonly used because they help speed up development, reduce security issues, and simplify the code you write.

Maybe if you let us know what you’re looking to use in terms of technologies, you might be able to get some more focused advice on whether things are possible or not.

PS Never rely on Javascript to perform any type of security or validation testing on its own. Think of JavaScript as something that could be disabled by the user. Validate on the server in addition to everything you do in JavaScript.

Hello Martyr,
I guess you missed where I said I wasn’t using a “full-fledged backend framework”. I also said that I wasn’t using Dotnet MVC which according to Wikipedia started as a programming model and then evolved into a framework. So basically I’m thinking of only using Dotnet’s Web API and not MVC which is a framework, but I guess you can be picky and say this still uses a framework.

The only reason I do this is to try to keep my application as simple and my file size as small as possible. I was just thinking why should I use a big framework if I’m only going to use a few of its features. This is also the reason why I decided to use vanilla JavaScript instead of using a framework. I would use PHP but I would have to learn it, which will take time.


Comments are closed.