Re: LoginSecurityFAQ and sessionID/tokens

2009-06-12 Thread mars1412 

as I interpret this article:
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications

then you should do 2 things:
store the session-id in a cookie on the client side + include the
session-id in every RPC call (to prevent XSFR)

and if you call a custom servlet from your application (e.g. we need
this to upload files), you should also include a hidden field with a
copy of the session-id.

anyone please correct me, if that's wrong


On Jun 11, 12:35 pm, Paul Robinson  wrote:
> If you store the session ID in a cookie so that user logins can persist
> beyond browser refreshes (as suggested in the FAQ), then the session ID
> will end up in the header anyway.
>
> eags wrote:
> > I am implementing user logins and authentication using the model
> > presented in the login security FAQ.  In particular I plan on manually
> > maintaining a table of {sessionID,User,timeout} values for each active
> > session and not using the normal servlet session functionality.
>
> > So, my question is, where do I get the ID that is returned to the
> > client?  I know that I can get one from the servlet session using
> > HttpServletRequest.getSession().getid() but it seems like I could just
> > use any randomly generated key right?  And maybe I if face should not
> > use that technique because that sessionID is also in the header where
> > it can be easily snooped right?  So, what is a good technique for
> > generating the sessionID?  To avoid duplicates I would just check the
> > sessionID table before returning the sessionID to the client and if it
> > is already in use I just call generateSessionID() again.  So my
> > question is what should getSessionID() look like?
>
> > I realize the recommended approach in the LoginSecurityFAQ is
> > controversial and I've already read all that debate so I'm not really
> > interested in more of that.  I just need specific help regarding these
> > questions assuming I am doing what is recommended in the FAQ.
>
> > Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

2009-06-11 Thread Paul Robinson 

If you store the session ID in a cookie so that user logins can persist
beyond browser refreshes (as suggested in the FAQ), then the session ID
will end up in the header anyway.

eags wrote:
> I am implementing user logins and authentication using the model
> presented in the login security FAQ.  In particular I plan on manually
> maintaining a table of {sessionID,User,timeout} values for each active
> session and not using the normal servlet session functionality.
>
> So, my question is, where do I get the ID that is returned to the
> client?  I know that I can get one from the servlet session using
> HttpServletRequest.getSession().getid() but it seems like I could just
> use any randomly generated key right?  And maybe I if face should not
> use that technique because that sessionID is also in the header where
> it can be easily snooped right?  So, what is a good technique for
> generating the sessionID?  To avoid duplicates I would just check the
> sessionID table before returning the sessionID to the client and if it
> is already in use I just call generateSessionID() again.  So my
> question is what should getSessionID() look like?
>
> I realize the recommended approach in the LoginSecurityFAQ is
> controversial and I've already read all that debate so I'm not really
> interested in more of that.  I just need specific help regarding these
> questions assuming I am doing what is recommended in the FAQ.
>
> Thanks in advance for any help.
> >
>
>   

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

2009-06-10 Thread Jamie 

java.util.Random random = new Random();
String sessionID = Long.toHexString(random.nextLong());

This will generate a 64 bit random number.

or you could use a Base64 encoder instead of using a hex string.

You might consider also adding the user's IP address into your table,
so that you can tie the sessionID to an IP address.  This is far from
un-spoof-able, but better than nothing, I suppose.
The IP address can also be unreliable when going through a NAT
appliance.

Jamie.

---
Search for analog and digital television broadcast antennas in your
area:
http://www.antennamap.com/
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

2009-06-10 Thread eags 

LoginSecurityFAQ is here BTW (http://code.google.com/p/google-web-
toolkit-incubator/wiki/LoginSecurityFAQ)

On Jun 10, 12:28 pm, eags  wrote:
> I found one discussion with the author of the LoginSecurityFAQ where
> they ask this exact question and he does state that using a random
> sessionID other than the one automatically included in the http header
> generated by the servlet is best. (http://groups.google.com/group/
> Google-Web-Toolkit/browse_thread/thread/
> 208f0144bc686114/842ba54ffa4f9265?lnk=gst&q=user+authentication+login
> +sessions#842ba54ffa4f9265)
>
> As for how to generate the token I'm thinking:
>
> String sessionID = UUID.randomUUID().toString();
>
> Any feedback is great as I'm really new to this stuff.
>
> Thanks.
>
> On Jun 10, 10:14 am, eags  wrote:
>
> > I am implementing user logins and authentication using the model
> > presented in the login security FAQ.  In particular I plan on manually
> > maintaining a table of {sessionID,User,timeout} values for each active
> > session and not using the normal servlet session functionality.
>
> > So, my question is, where do I get the ID that is returned to the
> > client?  I know that I can get one from the servlet session using
> > HttpServletRequest.getSession().getid() but it seems like I could just
> > use any randomly generated key right?  And maybe I if face should not
> > use that technique because that sessionID is also in the header where
> > it can be easily snooped right?  So, what is a good technique for
> > generating the sessionID?  To avoid duplicates I would just check the
> > sessionID table before returning the sessionID to the client and if it
> > is already in use I just call generateSessionID() again.  So my
> > question is what should getSessionID() look like?
>
> > I realize the recommended approach in the LoginSecurityFAQ is
> > controversial and I've already read all that debate so I'm not really
> > interested in more of that.  I just need specific help regarding these
> > questions assuming I am doing what is recommended in the FAQ.
>
> > Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: LoginSecurityFAQ and sessionID/tokens

2009-06-10 Thread eags 

I found one discussion with the author of the LoginSecurityFAQ where
they ask this exact question and he does state that using a random
sessionID other than the one automatically included in the http header
generated by the servlet is best. (http://groups.google.com/group/
Google-Web-Toolkit/browse_thread/thread/
208f0144bc686114/842ba54ffa4f9265?lnk=gst&q=user+authentication+login
+sessions#842ba54ffa4f9265)

As for how to generate the token I'm thinking:

String sessionID = UUID.randomUUID().toString();

Any feedback is great as I'm really new to this stuff.

Thanks.


On Jun 10, 10:14 am, eags  wrote:
> I am implementing user logins and authentication using the model
> presented in the login security FAQ.  In particular I plan on manually
> maintaining a table of {sessionID,User,timeout} values for each active
> session and not using the normal servlet session functionality.
>
> So, my question is, where do I get the ID that is returned to the
> client?  I know that I can get one from the servlet session using
> HttpServletRequest.getSession().getid() but it seems like I could just
> use any randomly generated key right?  And maybe I if face should not
> use that technique because that sessionID is also in the header where
> it can be easily snooped right?  So, what is a good technique for
> generating the sessionID?  To avoid duplicates I would just check the
> sessionID table before returning the sessionID to the client and if it
> is already in use I just call generateSessionID() again.  So my
> question is what should getSessionID() look like?
>
> I realize the recommended approach in the LoginSecurityFAQ is
> controversial and I've already read all that debate so I'm not really
> interested in more of that.  I just need specific help regarding these
> questions assuming I am doing what is recommended in the FAQ.
>
> Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

LoginSecurityFAQ and sessionID/tokens

2009-06-10 Thread eags 

I am implementing user logins and authentication using the model
presented in the login security FAQ.  In particular I plan on manually
maintaining a table of {sessionID,User,timeout} values for each active
session and not using the normal servlet session functionality.

So, my question is, where do I get the ID that is returned to the
client?  I know that I can get one from the servlet session using
HttpServletRequest.getSession().getid() but it seems like I could just
use any randomly generated key right?  And maybe I if face should not
use that technique because that sessionID is also in the header where
it can be easily snooped right?  So, what is a good technique for
generating the sessionID?  To avoid duplicates I would just check the
sessionID table before returning the sessionID to the client and if it
is already in use I just call generateSessionID() again.  So my
question is what should getSessionID() look like?

I realize the recommended approach in the LoginSecurityFAQ is
controversial and I've already read all that debate so I'm not really
interested in more of that.  I just need specific help regarding these
questions assuming I am doing what is recommended in the FAQ.

Thanks in advance for any help.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---