ICRISAT LIMS - Logging In

(Ref Id: 1346297712)

Logging in went easy enough. You use the Administrator username and password found in the tutorial and then you click on Change Password.

There is a problem with the system that I can see already though. If you edit the Administrator's profile you can see the password stored in the system in clear text. This means that the application is storing passwords without encrypting them first. You should not be able to see a password in an application. If a user forgets a password an administrator should be able to reset that password, not simply give it to him/her. Storing passwords in the database (or elsewhere) without hashing them first is a potential security vulnerability and should be avoided.

The flash tutorials become increasingly useful once you actually have the system up and running. You cannot follow them just yet until you perform one last configuration step. I'm running Apache Tomcat 6 and apparently there is a bad setting regarding STRICT_QUOTE_ESCAPING that will cause the application to fail when trying to create a new user. You'll know that you have this problem when you try to create a new user and an error page appears instead of the normal form fields. One of the error messages will contain 'must be escaped' somewhere in it. You have to add the following line to the catalina.properties file in the Tomcat /conf folder:

org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false

Then stop and restart Tomcat again and the problem will go away. Looking at the history of this application I can see why it expects you to upload Excel spreadsheets -- it was originally written using Microsoft tools like ASP. It was subsequently rewritten for Java, but it still expects you to perform basic data entry in Excel for some odd reason.

While poking around I found another security oddity -- if you type in a partial user name the full user name pops up. I'm hoping this is my browser doing this but I doubt it. It appears to be the application itself. From a security perspective this is not such a stellar idea. Once an attacker has a valid user id she is half way into the system. Guessing user ids on a system like this is just a matter of typing "a,b,c,d...z" until a username pops up. Then some social engineering (perhaps a phone call to the administrator complaining that the password was lost) and someone can get in.

When setting up a user you do not get a nice drop-down that tells you about access levels. Instead you are supposed to enter a number. Luckily there are only four access levels:

I cannot imagine why it would be so difficult to simply give the user a drop down list at that point. I had to refer to documentation to figure out the access levels. As a design standard I would say that forcing users have to seek out documentation for settings is poor design, particularly when it is so easy to provide the user with everything she needs right there on the screen. Gone are the days when we are fighting with applications for bandwidth or for screen real-estate due to clunky user interface design tools. If your target client is an HTML browser then you can include copious documentation right there in the browser and hide it using HTML/JavaScript tools until the user requests it. Therefore, for browser-targeted applications, I recommend a strong context-sensitive help strategy that keeps the user inside of the application rather than bounding around searching for separate reference information.

The documentation in the application is out of date. There are still references and screen prints of the old Windows-only, two-tier application that is no longer available. This needs to be updated for the current version. I strongly suggest that LIMS developers stop trying to build their documentation in HTML and start learning how to use a markup tool like Markdown and maintain the original files in version control. That way you can tag all of the help files for the present release, compile them all at one time using a script, and include them with the release. Repeat this process for subsequent releases.

The benefit of keeping your original support files in a non-HTML format is they can be searched and parsed easily by various programs. They can also be included inside of the application themselves as context-sensitive help.

Go Back

Citation: ICRISAT LIMS - Logging In. (2012). Retrieved Sun Apr 30 04:59:56 2017, from http://www.limsexpert.com/cgi-bin/bixchange/bixchange.cgi?pom=limsexpert3;iid=readMore;go=1346297712