[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-date: Tue Mar 16 07:49:38 2004 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevf Tbjyre) -->
- <!--x-message-id: 1079441240.21367.8.camel@devel -->
- <!--x-subject: [ale] User authentication in web app -->
- <li><em>date</em>: Tue Mar 16 07:49:38 2004</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Chris Fowler)</li>
- <li><em>subject</em>: [ale] User authentication in web app</li>
In the past all users were stored in our special password system. This
was on an embedded machine. I used getpwnam() to get user data and then
I would get ACL data. That is just the details. To track users I would
auth their password against the one in the passwd system using one way
encryption. I then took the one way encrypted string and added it to a
cookie. The cookie data was 128-bit encrypted. Every time the user
would access a page I would then re-authenticate them with that one way
encrypted password that they entered on the login page. If there was no
match then I would redirect them to the login page. The reason I did
this was in the condition that the administrator changed their password
or rights in between pages. This was the only way I could think of how
to guarantee they had privs to the site.
I want to do a similar thing in the webapp. I plan on using a table in
our database to store user accounts for the application. So during the
login phase I'll get their password and do a select on that table. I
could simply use the password() function in mysql like this:
select * from users where PASSWORD like PASSWORD('value');
If I get a row then obviously the password matched. Is this the correct
thing to do?
Next question I have is on session tracking. I can then use the servlet
session API and then add this encrypted string to the cookie. Every
time the user access a page I can then do this:
select * from users where PASSWORD like PASSWORD('value');
If I get a match then I know the user is good. Otherwise I need to
redirect them to the login servlet.
This is the only way I can guarantee they have access between each page.
Is my solution a good solution or provides too much overhead? I want to
keep good track of users and make sure there are no loop holes in the
security system.
Thanks,
Chris
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00565" href="msg00565.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00563.html">[ale] replace monitor</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00565.html">[ale] User authentication in web app</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00563.html">[ale] replace monitor</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00565.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00564"><strong>Date</strong></a></li>
<li><a href="threads.html#00564"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>