[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-date: Tue Mar 16 16:47:39 2004 -->
- <!--x-from-r13: znvajvmneq ng irv.arg (znvajvmneq ng irv.arg) -->
- <!--x-message-id: [email protected] -->
- <!--x-subject: [ale] User authentication in web app -->
- <li><em>date</em>: Tue Mar 16 16:47:39 2004</li>
- <li><em>from</em>: mainwizard at vei.net (mainwizard at vei.net)</li>
- <li><em>subject</em>: [ale] User authentication in web app</li>
select * from users where USERNAME =3D 'value';
And if you get a match you then check that the password for that user mat=
ches the password supplied.
ed.
----- Original Message -----
From: Chris Fowler
Sent: 3/16/2004 7:47:20 AM
To: ajug-members at ajug.org;ale at ale.org
Subject: [ale] User authentication in web app
> I'm trying to determine the best way to do user auth in a web
> application. I've not done this yet inside of servlets. I've done it
> within our CGI programs that were all written in C.
>=20
> In the past all users were stored in our special password system. This
> was on an embedded machine. I used getpwnam() to get user data and the=
n
> I would get ACL data. That is just the details. To track users I woul=
d
> auth their password against the one in the passwd system using one way
> encryption. I then took the one way encrypted string and added it to a
> cookie. The cookie data was 128-bit encrypted. Every time the user
> would access a page I would then re-authenticate them with that one way
> encrypted password that they entered on the login page. If there was n=
o
> match then I would redirect them to the login page. The reason I did
> this was in the condition that the administrator changed their password
> or rights in between pages. This was the only way I could think of how
> to guarantee they had privs to the site.
>=20
> I want to do a similar thing in the webapp. I plan on using a table in
> our database to store user accounts for the application. So during the
> login phase I'll get their password and do a select on that table. I
> could simply use the password() function in mysql like this:
>=20
> select * from users where PASSWORD like PASSWORD('value');
>=20
> If I get a row then obviously the password matched. Is this the correc=
t
> thing to do?
>=20
> Next question I have is on session tracking. I can then use the servle=
t
> session API and then add this encrypted string to the cookie. Every
> time the user access a page I can then do this:
>=20
>=20
> select * from users where PASSWORD like PASSWORD('value');
>=20
> If I get a match then I know the user is good. Otherwise I need to
> redirect them to the login servlet.
>=20
> This is the only way I can guarantee they have access between each page=
=2E
>=20
> Is my solution a good solution or provides too much overhead? I want t=
o
> keep good track of users and make sure there are no loop holes in the
> security system.
>=20
> Thanks,
> Chris
>=20
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
>=20
This message has been scanned for viruses by the VEI Internet
Automatic Email Spam and Virus Scanner, and is believed to be free of spa=
m or viruses.
Please report spam to spamtrap at vei.net. If you would like 98.9 % spam blo=
cked from your
E-mail then go to VEI Internet for details. Anti-spam/Anti-virus is FREE =
with every account.=20
<a rel="nofollow" href="http://www.vei.net/";>http://www.vei.net/</a>
mailtospamtrap at vei.net
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00598" href="msg00598.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> jsheets at yahoo.com (Jerald Sheets)</li></ul></li>
<li><strong><a name="00599" href="msg00599.html">[ale] User authentication in web app</a></strong>
<ul><li><em>From:</em> kafka at antichri.st (George Carless)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00596.html">[ale] Samba on SuSE 8.2 Personal</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00598.html">[ale] User authentication in web app</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00566.html">[ale] Re: [ajug-members]: User authentication in web app</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00598.html">[ale] User authentication in web app</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00597"><strong>Date</strong></a></li>
<li><a href="threads.html#00597"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>