Labs/Apps/Offline Verification

From MozillaWiki
< Labs‎ | Apps
Jump to: navigation, search

Applications may want to perform offline verification of a user's registration.

This logic can be performed in the application, or by a single-sign-on directory or store.

In both cases, the application is served with Cache-Control headers that allow it to be accessed while the user-agent is offline, possibly using HTML5 App Caching techniques.

Then, when an online verification of the user's identity is performed, a token is stored into localStorage. This token can be checked, later, by the offline application.

The localStorage domain that is used for the token should always be SSL; otherwise impersonating the domain to insert or copy a token is trivial.

It should be noted that, on an open platform like a web browser running on a desktop operating system, there is no way to completely lock down an application to run on only one system. We suggest that application developers should focus on convenience to their users and provide extra value through their online offerings.

  • A simple true/false value, or timestamp, is very easily to implement, and can be easily counterfeited by any user.
  • A timestamp that is signed with a private key known only to the online app can provide an additional layer of protection. An attacker could still generate their own key pair, replace the timestamp with their own, and substitute their public key into the program by tampering with the in-memory application, but it would be much more work.
Retrieved from "https://wiki.mozilla.org/index.php?title=Labs/Apps/Offline_Verification&oldid=261919"