[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue Mar 16 09:15:08 2004 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevf Tbjyre) -->
- <!--x-message-id: 1079446379.21367.30.camel@devel -->
- <!--x-reference: 1079441240.21367.8.camel@devel -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] User authentication in web app -->
- <li><em>date</em>: Tue Mar 16 09:15:08 2004</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Chris Fowler)</li>
- <li><em>in-reply-to</em>: <<a href="msg00565.html">[email protected]</a>></li>
- <li><em>references</em>: <1079441240.21367.8.camel@devel> <<a href="msg00565.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] User authentication in web app</li>
We also checked against IP. So if the IP was different than that would
immediately invalidate the cookie.
On Tue, 2004-03-16 at 09:08, George Carless wrote:
> > I want to do a similar thing in the webapp. I plan on using a table in
> > our database to store user accounts for the application. So during the
> > login phase I'll get their password and do a select on that table. I
> > could simply use the password() function in mysql like this:
> >
> > select * from users where PASSWORD like PASSWORD('value');
>
> You should key against both the username and the password. Also, I'd
> recommend using something like md5() rather than password(), for stronger
> passwords.. and it's probably best to create the md5 sum within your
> application server rather than at the database, to avoid passing
> unencrypted passwords around. And don't use "like" on a known value; use
> "=".
>
> > Next question I have is on session tracking. I can then use the servlet
> > session API and then add this encrypted string to the cookie. Every
> > time the user access a page I can then do this:
> > select * from users where PASSWORD like PASSWORD('value');
>
> I would think you would be better off storing a table of known valid
> sessions, keyed perhaps against user id, session id, IP address. If you
> absolutely must store the password in the cookie (which I don't think you
> should), make sure you're storing a hash of it and NOT anything that can
> be used to determine the original password. And to be honest I would
> probably say, with my usual disclaimer that I'm not trying to be rude (I'm
> just British) that if you're needing to ask these questions then you're
> probably not *that* concerned about mega security beyond good basic
> precautions, in which case you might be as well off just checking against
> a userid/sessionid/ip address match. I can't see any gain from storing
> the password in the cookie, except insomuch as it provides another key to
> check against to prevent people from faking/guessing session variables.
> But you should probably store some other arbitrary value if you're looking
> for that, anyhow.
>
> If anyone disagrees massively with me then please chip in, especially
> since my own session handling routines are gradually becoming a
> spaghetti-like mess of code and could probably use a rework some time
> soon.
>
> Cheers,
> --George
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00571" href="msg00571.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> cleon42 at yahoo.com (Adam Levenstein)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00564" href="msg00564.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Chris Fowler)</li></ul></li>
<li><strong><a name="00565" href="msg00565.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00566.html">[ale] Re: [ajug-members]: User authentication in web app</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00568.html">[ale] GPL Question.</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00565.html">[ale] User authentication in web app</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00571.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00567"><strong>Date</strong></a></li>
<li><a href="threads.html#00567"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>