Is it safe to use Security Identity to check if user is logged in?

Hi,

I want to display particular content on a normal page only if users are logged in.
I dont need to output any user details.

I created a Server Action without a DB query, containing a Security Identity with output checked. (see screenshot just below)

Then on the app page I would create a server connect to the above server action and set a condition to display if "identity" is set? (see screenshot just below)

It works as I intended to, but my question is it safe to do it like that? Or can it be exploited to get user data? There are no database queries so I am thinking it is safe.

Any advise would be helpful. Thank you. :slight_smile: :pray:

Your question is so interestingly bizarre, I'm not sure how deep I need to go in my answer...

Anyone that checks the source-code of your page can know the content that was supposedly hidden.

As for "exploiting to get user data", only if such page has user data and you're hiding it...

The only way to truly hide from the source-code is to have a server-side condition (you can search about server-side binding in the forums [NodeJS])

Regarding your 1st question, if it's safe to use Security Identity step to check if the user is logged in, yes

Hi,

Thank you for getting back to me. Thank you for confirming.

Yes I forgot about that fact you can just see the source code. I am using PHP/MySQL.
How do I do as service side condition to show or hide content on the app page side?

How does everyone do this if they want to show/hide content on a page?

1 Like

I believe most people do as you just did, and I just checked a project of mine and that's how I did as well... But that's just because Wappler doesn't have a button to create server-side conditions :slight_smile:

But I think it's easy to create a server-side condition, especially in PHP, someone will help you

You should really use the security identity inside your API workflow to stop the data being sent from the database rather than just trying to hide it on your page

Hi,

I am not sure I follow Brian. Can you give me an example?

I think that in simple words what @Hyperbytes say is:

The rule is
Whichever step is ticked as output in your serveractions (api) is exposed on client-side...


(red is axposed, green is safe)

If output is not ticked is safe...

Is that correct Brian ?

1 Like

yes, thats part of it.

if you dont want to expose data then add a where clause to your data query to ensure identity is set so that no data is returned if the user is not logged in (you can further restrict to a specific user if needed).

In cpusers case, the part they wish to hide, i guess, does not come from a database, it is some static links.
This means they cannot really be hidden within source code but can be hidden from display by either setting a dynamic hide() condition or better, putting them within a conditional region.

To stop hacks (people getting the links from source code), i would suggest placing the security (as he showed) on the target pages so they cannot be viewed. That way the links are useless.

I am not aware of any way of 100% hiding static text from source code, even placing it in a partial within a conditional region still shows the content

1 Like

Thank you all. I tried using conditions and setting a value on the server side with the content of the HTML code, but on the app side, it didn't render the HTML, it just displayed the code. That could have been a work around if it render it as code.

Is there a way?

Probably wouldn't have done things that way but it should be possible, i think you are possibly making this far more difficult than you need to.

Did you render the code from the server action within a html dynamic attribute like this

image

1 Like

Thank you. No I didnt do that. I will look into it and apply.

Appreciate your help as always :pray: