One Security Concern

[achille005]

On the second screen we are saving details to DB with no "I'm not a robot verification. That is nothing is preventing the spams to fill up our salesforce backend! True?

[Astrea123]

This is not clear to me ,Please elaborate your point

[achille005]

I corrected it above, i meant on the log in screen we dn't have recatcha (i am not a robot) is that an issue?

[Astrea123]

No, it is not a issue. But generally recaptcha is present on 2nd page to verify user before finally inserting data.

[achille005]

Why it is not an issue?

[Astrea123]

During registration data is inserted into database after login, on "JobProfile" or "Resume Profile set up" page data remains in computer memory only.

So during registration while on first screen even if user is robot it doesn't matter to us, as no data is being inserted in our database. While finally inserting data on our database we should verify the authenticity of user.

We can't use recaptcha on both screen as it will only waste time of user as recaptcha verification takes time. It can also irritate user.

Hope my point is clear to you.

[achille005]

No. We want to save those info on second page before moving to next screen. That is forget about recaptch on login screen it seems like the app is not letting the user access the login screen directly.

[Astrea123]

Your point is not clear to me.

[achille005]

During registration data is inserted into database after login, on "JobProfile" or "Resume Profile set up" page data remains in computer memory only.

• Data is inserted into db on second screen (and the rest on login). I though we were clear on that. Isn't that how you are doing it today? ( When you were on a leave, i explained that to the person who took over the reason why we are doing it like that)

We can't use recaptcha on both screen as it will only waste time of user as recaptcha verification takes time. It can also irritate user.

• keep the recaptcha on 2nd screen as it is today. That is enough.
• one thing you can do before saving from login screen is to validate if the user has already entered "Job Title" and emailaddress on 2nd screen. if not dont save it into db ( it might be a robot) - One core business rule of our app is no account should be created without a "job title" and location as the cron job need them. Let' me take this back, it is better you save the social media email but the one the user entered manually. ( use social media email only for authentication )

[achille005]

When you said: "We can't use recaptcha on both screen as it will only waste time of user as recaptcha verification takes time. It can also irritate user." I agreed with you. Why you end up implementing the recaptcha. I have suggested you the followings:

• before saving from login screen is to validate if the user has already entered "Job Title" and emailaddress on 2nd screen. if not dont save it into db ( it might be a robot)
• Save the social media email but the one the user entered manually should be used for cron email. ( use social media email only for authentication )

[Astrea123]

1) Please once confirm whether you want recaptcha on JobSeekerInformation and RecruiterRegistration screen also or not.

2) We are already validating before saving data in database if user has entered Job Title and Email Address or not.

3) From this point "Save the social media email but the one the user entered manually should be used for cron email. ( use social media email only for authentication )" what we have understood is you want to send job update to user on the id which he entered on ResumeProfile or JobProfile screen and for login authentication you want to use social media id. If it is so, then social media login will be of no use.

Also, it doesn't make sense that for login to app user is using one id and all updates from same app he is receiving on another.

[achille005]

• Recaptcha during registration ( log In Screen) - 1.) & 2.) if you are already validating with email address and job title entered on second screen then no point doing the recaptcha again on the registration login screen - remove it. Please paste here that portion of the code where you validating - i want to search the code and review the logic.
• 3.) How are you handling the case where the user enter an email address on second screen that is different from the one the have on their social media account?

[Astrea123]

1) We are validating on both client side and server side that Job Title and Email address shouldn't be null.

For server side, We have also imposed condition on postgress that value of Job Title and Email Address can't be null. If value of any of these field will be null it will not be inserted in database, and it will give error to user in form of alert.

On client side code is:

  `if((($('#UserJobTitle').val()).trim()=='')||(($('#UserEmail').val()).trim()==''))||($('#ConfirmUserEmail').val()).trim()=='')){
  console.log('something is missing')

   if(($('#UserJobTitle').val()).trim()==''){
        // validation display
    }

     if(($('#UserEmail').val()).trim() == '') {
     // validation display
 }

 if(($('#ConfirmUserEmail').val()).trim()==''){
    // validation display
 }
}
else{
 //task to be performed
   }`

This segment of code will run when user click continue button on entering value.

2) How are you handling the case where the user enter an email address on second screen that is different from the one the have on their social media account?

For this we have created different test cases: a) user entered email address on ResumeProfile for which account was already created either by normal login or social login- User will be prompted with alert that account with thid id already exist. He won't be able to create new account using that id.

b) user entered email address for which no account was created- User will be redirected to next screen i.e. Job category Screen.

On ResumeProfile screen we validate that our database shouldn't contain account already with that mail id.

c) user entered email address for which no account exist then on JobSeekerInformation he proceed with normal registration- new account with same email address will be created.

d) user entered email address on ResumeProfile for which no account exist then he do login by social media using same id - In this case, new account will be created with the same id.

e) user entered email address on ResumeProfile for which no account exist then he do login by social media using different id- While doing social media registration if user enter email address other then email address he enter on ResumeProfile screen then, we will update email address of ResumeProfile and set social media email in JobSeekerInformation. So, finally database will contain social media email address. same email id is used for authentication and cron emails.

[achille005]

1. We are validating on both client side and server side that Job Title and Email address shouldn't be null. The piece of code you gave me above is NOT what i was looking for! When press "Log in to review new candidates" button on login screen during registration, you should check the session to see if the user has already entered "job title" and email address on previous 2nd screen. If so no need for Recaptcha again because you know the only way the user can have the "email address" and "job title" in the session is if they have already entered it previously on 2nd screen with recaptcha. Please confirm you understand me and show me the code ( i have locally checked out the code)

[achille005]

2. Social medial login during registration: . Continue with facebook is pressed > retrieve first name & last name > populate fName and lName fields ( for user to change them if needed); Hide password ( no recaptcah -- see above comment) > "Log in button is pressed" > facebook authenticate the user remotely > user is on dashboard

Note: No need to check if email exist already or not. The user is just doing a remote authentification. We have already collected his email that is what we will be using for cron jobs.

[Astrea123]

When User clicks on Social media button 1) fetch user info like fname,lname,email 2)insert fname,lname on the corresponding fields and change value of email on the label 3)hide password field then user can press login button and social media email will save in the database and that will be use everywhere

[achille005]

then user can press login button and social media email will save in the database and that will be use > >everywhere I agree, but before we close this, log out of facebook and tweeter on your pc and try the flow and let me know

[achille005]

• Also when the user try to login using social media and the email is already in DB. you pop up a message saying "email is already in database" and you don't advise anything. What do you want the user to do then?

[achille005]

3 Points: 1.) I am fine your removing recaptcha from login page during registration 2.) try how indeed.com works. Even if the email is already in db, you should still authenticate (log in ) the user via facebook and take to his dashboard 3.) the Trial subscription i have put in #10