APP SID Validation

Thanks for the reply Deal,

Let me explain it little deeper now, consider the belwo scenario

1. I logged in to Wialon hosting site and clicking the Apps button and invoking my custom App, which will open another browser instance and render my app which is running in our own webserver.

2. Along with the APP URL I am also getting the Sid from the parent browser which is running the wialon hosting website

3. Now using the Sid can I authorize the webrequest coming to our web server via Wialon SDK API's ? I am using JavaScript API from the wialon sdk inside our App

4. For example If someone copy the URL along with the sid and shared to  other person and if the other guy tries to launch the App from different IP I want to block those requests.

5. The IP on which the APP is launched is eligible to use my App but not from other IP's, can I use the Sid to validate anything from the SDK JavaScript API ?

6. Also using the Sid Can I use any JavaScript API in my App which pulls some Unit specific data directly without calling the login API ? In other words whether Sid carries any context to my APP or it only meaningful to Wialon Web server ? then what is the use of passing the Sid to the APP ?

I hope I am explaining thing properly here, If it is confusing let me know I will try to rephrase it. 

Thanks in advance.

Thanks for the reply Deal.

I tried your solution but still I was able to access the APP by copying the URL and pasting it from different IP and the APP is still working without any authorization error which is my concern here.

Let me explain the steps I did

1. Passed the sid and authhash from my published App via querystring ( I made these changes via AppConfigurator from CMS )
2. Now my App will get the authHash from the querystring and login via "loginAuthHash" JS API
3. From that IP and session I was able to query different data using JS API which is good and correct
4. Now I copied the URL along with all the querystring and pasted from a different Server (IP of this server will be different )
5. Instead of authorization error I was able to query and get information from wialon server using JS API's from different IP's simultaneously
6. Both my Server1 with IP1 and Server2 with IP2 was able to query wialon API successfully
7. Server1 with IP1 was legitimate to use my APP but not Server2 with IP2
8. Js API loginAuthHash() was not throwing any authorization error if I use it multiple times with the same authHash which is contradicting.

Am I doing anything wrong here Or I need to implement any authorization logic from my webserver which is hosting the APP ?

I shared the Server1 and Server2 screenshot for your reference

Please explain how to enforce authorization checks properly so that URL copy & paste access can be eliminated completely.

Thanks in advance.

karthik, authHash can't be used twice. Try to test such steps in Your app:
1. Get new sid using loginAuthHash and authHash from query string. Ignore sid in query string.
2. Make all requests using new sid.
3. In Your app with different IP old authHash won't work as it was already used.
Profit.