MediaSignage support forum

community support => SignageStudio => Topic started by: conexia on November 01, 2013, 07:09:36 AM

Title: Remote values password unhided
Post by: conexia on November 01, 2013, 07:09:36 AM
I have been testing the Remote Values Queing as instructed in the video.
But I have seen that the user password can be seen showing source code in the browser.

Do we need to create a special user for managing the Remote values?
Title: Re: Remote values password unhided
Post by: ANOOP on November 01, 2013, 07:22:04 AM
Oh this looks quite dangerous :)
Title: Re: Remote values password unhided
Post by: GRAFIXMEDIA on November 01, 2013, 07:35:47 AM
I am trying to get this to work without success.
I have done everything according to the video tut but no luck,

Can you give me some tips on how you manage to get it working

By the way you not supposed to make url public & it's best to create user with minimal privileges like only send commands to station.
Title: Re: Remote values password unhided
Post by: admin on November 01, 2013, 09:50:17 AM
please speak to Lawrence on Live chat so he can confirm it's not a bug and get it working...
if he finds there is an issue we will resolve it, but I believe it is a configuration error so please visit with him.

Regards.
Title: Re: Remote values password unhided
Post by: GRAFIXMEDIA on November 01, 2013, 11:22:49 AM
What conexia is saying that html file contains user name & password and on Google chrome you can right click on screen & view page source revealing the username & password.
Title: Re: Remote values password unhided
Post by: admin on November 01, 2013, 04:37:28 PM
correct, now that we know that it works via post: http://script.digitalsignage.com/forum/index.php/topic,3628.msg11372/topicseen.html#new
you can create a sub user with very limited privileges so exposing the password will not be an issue.
And, of course you can also create your own pre-authentication CGI using PHP etc... which would be trivial.
Title: Re: Remote values password unhided
Post by: mediaboy on November 04, 2013, 07:15:43 AM
And, of course you can also create your own pre-authentication CGI using PHP etc... which would be trivial.

Yes, I can see how its possible to create a PHP proxy in order to hide the user/password (i.e pass the JS variables to PHP which adds the user/password and performs the request to the mediaCloud). I strongly advise creating a 'limited account' user like you would do with the RemoteTouch in any case. However, this does not prevent mis-use of the interface if it were available on a publicly known URL – for example anyone with the link could update the screen from anywhere at anytime (i.e. multiple people passing variables to the screen at once).

My assumption (based on the above) is that this feature is primarily designed to be used where the controller UI is not public, which is cool. But anyone trying to implement this feature should be aware of it's indented design so as no not expose any of their account credentials.

@admin – have you thought about a way that we could retrieve an authentication token from the API, so as to create temporary user sessions for the UI? The token could expire after a given interval (or when a session is terminated by a user - e.g an endSession function), so the UI would have to re-establish 'trust' to perform another command. Sorry – quite a vague example for something quite technical to implement.