[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue Mar 16 09:11:01 2004 -->
- <!--x-from-r13: xnsxn ng nagvpuev.fg (Urbetr Qneyrff) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: 1079441240.21367.8.camel@devel --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] User authentication in web app -->
- <li><em>date</em>: Tue Mar 16 09:11:01 2004</li>
- <li><em>from</em>: kafka at antichri.st (George Carless)</li>
- <li><em>in-reply-to</em>: <1079441240.21367.8.camel@devel></li>
- <li><em>references</em>: <1079441240.21367.8.camel@devel></li>
- <li><em>subject</em>: [ale] User authentication in web app</li>
You should key against both the username and the password. Also, I'd
recommend using something like md5() rather than password(), for stronger
passwords.. and it's probably best to create the md5 sum within your
application server rather than at the database, to avoid passing
unencrypted passwords around. And don't use "like" on a known value; use
"=".
> Next question I have is on session tracking. I can then use the servlet
> session API and then add this encrypted string to the cookie. Every
> time the user access a page I can then do this:
> select * from users where PASSWORD like PASSWORD('value');
I would think you would be better off storing a table of known valid
sessions, keyed perhaps against user id, session id, IP address. If you
absolutely must store the password in the cookie (which I don't think you
should), make sure you're storing a hash of it and NOT anything that can
be used to determine the original password. And to be honest I would
probably say, with my usual disclaimer that I'm not trying to be rude (I'm
just British) that if you're needing to ask these questions then you're
probably not *that* concerned about mega security beyond good basic
precautions, in which case you might be as well off just checking against
a userid/sessionid/ip address match. I can't see any gain from storing
the password in the cookie, except insomuch as it provides another key to
check against to prevent people from faking/guessing session variables.
But you should probably store some other arbitrary value if you're looking
for that, anyhow.
If anyone disagrees massively with me then please chip in, especially
since my own session handling routines are gradually becoming a
spaghetti-like mess of code and could probably use a rework some time
soon.
Cheers,
--George
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00567" href="msg00567.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Chris Fowler)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00564" href="msg00564.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Chris Fowler)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00564.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00566.html">[ale] Re: [ajug-members]: User authentication in web app</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00564.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00567.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00565"><strong>Date</strong></a></li>
<li><a href="threads.html#00565"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>