Suppose I want to keep my webpage very simple and light weight by forgoing the use of any frontend framework such as Angular, React, Vue, etc. and without the use of any full-fledged backend framework such as ASP.Net, Spring, PHP, etc. Is it possible to adequately provide security for my webpage using only a web API and a database? If I choose only DotNet Web API but not DotNet MVC and use some kind of database I think I can provide some level of security by authenticating users’ login against their credentials stored in the database. I can also filter users’ input on the frontend using JavaScript and C# on the backend.
However, is it possible to prevent two or more people from using the same credential to login in simultaneous? I can attempt to prevent concurrent logins by storing the Login Status of a user on the database and not provide any data to populate a webpage if the Login Status is Active. I can also have a column on the database called Login Duration Allowed which is a number that indicates how long a user can stay logged and a column called Login Duration wh. The Login Duration Allowed value can be set by the user and once the user has stayed logged in longer than this number or has logged off, the Login Status column in a database table will have a value of Inactive and the Login Duration will be set to zero. When the Login Status has a value of Inactive, users will need to login again and once they do, the Login Status will be set to Active once again and the Login Duration will start counting again as well. I’m not sure if this is adequate security, please advise.
I am a bit confused as to what you are asking. You say not to use a “backend framework” yet mention backend languages and frameworks together (PHP is a language, Spring is a framework while something like Codeigniter is a framework built on PHP). See how that works?
You write web based C# code through a framework like ASP.NET which provides you the bridge of handling an HTTP request by code that wasn’t initially designed to be web based (C#). A framework can also be simple set of rules used standardize, simplify and secure code that is written. In exchange you sacrifice a bit of flexibility to do whatever.
Can you write HTML code that submits data to some API endpoint? Sure. How that endpoint then takes the data and processes it is usually based on some kind of framework or language that understands the HTTP data and what to do with it. C# needs something like ASP.NET, but PHP was designed to be a web languages so it doesn’t need a framework at all. You can write a stand alone PHP script and you handle all processing and security for that data.
As for your questions related to Logins, you usually use something like “sessions” which keeps a user isolated from one another. You verify that the user is the correct user by matching their username and password and if passed, you create a unique session for them that they then use to view material related only to them. Again, depending on the tech you use, this may or may not be handled by a framework. PHP again handles sessions as a core feature of its language and you don’t need something like Codeigniter or CakePHP to handle the sessions for you.
But frameworks are usually used because they help speed development, reduce security concerns and simplify the code you write.
Perhaps if you let us know what you are looking to use in the way of technologies, you can get more targeted advice on if things are possible or not.
P.S. Never rely on Javascript to do any kind of security or validation testing on its own. Think of Javascript as something that could be disabled by the user. Validate on the server in addition to anything you do in Javascript.
Hi Martyr,
I guess you missed where I said I’m not using a “fully fledged Backend Framework”. I also said I’m not using Dotnet MVC which according to Wikipedia started out as a programming pattern then evolved into a framework. So basically I’m thinking about using just the Web API from Dotnet and not MVC which is a framework but I guess you can be picky and say that that’s still using a framework.
The only reason I’m doing this is to try to keep my application as simple and my file size as small as possible. I was just thinking why should I use a large framework if I’m only going to use a few of its features. That’s also the reason why I decided to use vanilla JavaScript instead of using a framework. I would use PHP but I’d have to learn it which will take some time.