June 20th, 2005 07:59 PM
using sessions for authentication
I am writing a program using Java servlets. I want to use a session for user authentication.
In the login page I check users user name and password with usernames and password in my database and store username and password in a session.
After that do I have to check the user name and password stored in session with my database, in every page. Or can I just check wether there is a session avaiable and if the session is available, allow the user to view the page.
Thanks a lot,
June 20th, 2005 08:27 PM
This page can show you how to do it with php, if that helps any. I use something similar to this for some web stuff, and it works pretty well.
<a rel="nofollow" hre...html</a><br />
edit: I think that link got screwed up, here it is:
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
June 20th, 2005 11:49 PM
I assume, you are dealing successfully with the servlet API[1-3]
for the authentication, managing/tracking of the state or sessions.
You are here interested in the security implications thereof. I
want to illustrate my understanding of state and sessions and
a few thoughts about securing it. I hope I do not confuse too much,
because plenty of texts available actually do mix up certain issues.
I would suggest you to have an overview-read about session management
on the web, to fix the ideas and to make you aware of possible weaknesses.
In particular, even the Servlet's 128bit-session id environment is flawed
by the initial seed of the pseuo-random generator, and eventually allows
to hijack client sessions. I look at this whole subject from a
rather theoretical point of view and would be very happy to listen to
people in the front line.
To your question:
Let me recapitulate state management. If you are using cookies/url-post
to keep track of the state (e.g. transactions, shopping cart, hashed
user-id, ...), it will be sent by the browser at each request
and could consist of quite some data. People tend to secure it by applying
a very short life-time to a cookie, in particular if the cookie stores
sensitive data, like a hashed user-id (expiration date: cookie.setMaxAge).
In addition, the sensitivity of the data accessible with that particular
user-id also is thrown into the equation. Since you cannot control the
environment of the user accessing your page, a logout-function might come
in handy too.
In the case of sessions, just a session id will be stored in a cookie or by
url-post, and management thereof is transparent. The "state" can be stored
in the servlet, ie server-side and/or client-side if the state information
should be available at a later time. As already mentioned, the session will
loose its validity after closing the browser or ending the servlet. The same
precautions as for state management can be used.
Provide additional information for further discussion.
/edit: you might find a few alternative/additional inspirations here on AO
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)