Re: LoginSecurityFAQ and sessionID/tokens
as I interpret this article: http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications then you should do 2 things: store the session-id in a cookie on the client side + include the session-id in every RPC call (to prevent XSFR) and if you call a custom servlet from your application (e.g. we need this to upload files), you should also include a hidden field with a copy of the session-id. anyone please correct me, if that's wrong On Jun 11, 12:35 pm, Paul Robinson wrote: > If you store the session ID in a cookie so that user logins can persist > beyond browser refreshes (as suggested in the FAQ), then the session ID > will end up in the header anyway. > > eags wrote: > > I am implementing user logins and authentication using the model > > presented in the login security FAQ. In particular I plan on manually > > maintaining a table of {sessionID,User,timeout} values for each active > > session and not using the normal servlet session functionality. > > > So, my question is, where do I get the ID that is returned to the > > client? I know that I can get one from the servlet session using > > HttpServletRequest.getSession().getid() but it seems like I could just > > use any randomly generated key right? And maybe I if face should not > > use that technique because that sessionID is also in the header where > > it can be easily snooped right? So, what is a good technique for > > generating the sessionID? To avoid duplicates I would just check the > > sessionID table before returning the sessionID to the client and if it > > is already in use I just call generateSessionID() again. So my > > question is what should getSessionID() look like? > > > I realize the recommended approach in the LoginSecurityFAQ is > > controversial and I've already read all that debate so I'm not really > > interested in more of that. I just need specific help regarding these > > questions assuming I am doing what is recommended in the FAQ. > > > Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
If you store the session ID in a cookie so that user logins can persist beyond browser refreshes (as suggested in the FAQ), then the session ID will end up in the header anyway. eags wrote: > I am implementing user logins and authentication using the model > presented in the login security FAQ. In particular I plan on manually > maintaining a table of {sessionID,User,timeout} values for each active > session and not using the normal servlet session functionality. > > So, my question is, where do I get the ID that is returned to the > client? I know that I can get one from the servlet session using > HttpServletRequest.getSession().getid() but it seems like I could just > use any randomly generated key right? And maybe I if face should not > use that technique because that sessionID is also in the header where > it can be easily snooped right? So, what is a good technique for > generating the sessionID? To avoid duplicates I would just check the > sessionID table before returning the sessionID to the client and if it > is already in use I just call generateSessionID() again. So my > question is what should getSessionID() look like? > > I realize the recommended approach in the LoginSecurityFAQ is > controversial and I've already read all that debate so I'm not really > interested in more of that. I just need specific help regarding these > questions assuming I am doing what is recommended in the FAQ. > > Thanks in advance for any help. > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
java.util.Random random = new Random(); String sessionID = Long.toHexString(random.nextLong()); This will generate a 64 bit random number. or you could use a Base64 encoder instead of using a hex string. You might consider also adding the user's IP address into your table, so that you can tie the sessionID to an IP address. This is far from un-spoof-able, but better than nothing, I suppose. The IP address can also be unreliable when going through a NAT appliance. Jamie. --- Search for analog and digital television broadcast antennas in your area: http://www.antennamap.com/ --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
LoginSecurityFAQ is here BTW (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ) On Jun 10, 12:28 pm, eags wrote: > I found one discussion with the author of the LoginSecurityFAQ where > they ask this exact question and he does state that using a random > sessionID other than the one automatically included in the http header > generated by the servlet is best. (http://groups.google.com/group/ > Google-Web-Toolkit/browse_thread/thread/ > 208f0144bc686114/842ba54ffa4f9265?lnk=gst&q=user+authentication+login > +sessions#842ba54ffa4f9265) > > As for how to generate the token I'm thinking: > > String sessionID = UUID.randomUUID().toString(); > > Any feedback is great as I'm really new to this stuff. > > Thanks. > > On Jun 10, 10:14 am, eags wrote: > > > I am implementing user logins and authentication using the model > > presented in the login security FAQ. In particular I plan on manually > > maintaining a table of {sessionID,User,timeout} values for each active > > session and not using the normal servlet session functionality. > > > So, my question is, where do I get the ID that is returned to the > > client? I know that I can get one from the servlet session using > > HttpServletRequest.getSession().getid() but it seems like I could just > > use any randomly generated key right? And maybe I if face should not > > use that technique because that sessionID is also in the header where > > it can be easily snooped right? So, what is a good technique for > > generating the sessionID? To avoid duplicates I would just check the > > sessionID table before returning the sessionID to the client and if it > > is already in use I just call generateSessionID() again. So my > > question is what should getSessionID() look like? > > > I realize the recommended approach in the LoginSecurityFAQ is > > controversial and I've already read all that debate so I'm not really > > interested in more of that. I just need specific help regarding these > > questions assuming I am doing what is recommended in the FAQ. > > > Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
Re: LoginSecurityFAQ and sessionID/tokens
I found one discussion with the author of the LoginSecurityFAQ where they ask this exact question and he does state that using a random sessionID other than the one automatically included in the http header generated by the servlet is best. (http://groups.google.com/group/ Google-Web-Toolkit/browse_thread/thread/ 208f0144bc686114/842ba54ffa4f9265?lnk=gst&q=user+authentication+login +sessions#842ba54ffa4f9265) As for how to generate the token I'm thinking: String sessionID = UUID.randomUUID().toString(); Any feedback is great as I'm really new to this stuff. Thanks. On Jun 10, 10:14 am, eags wrote: > I am implementing user logins and authentication using the model > presented in the login security FAQ. In particular I plan on manually > maintaining a table of {sessionID,User,timeout} values for each active > session and not using the normal servlet session functionality. > > So, my question is, where do I get the ID that is returned to the > client? I know that I can get one from the servlet session using > HttpServletRequest.getSession().getid() but it seems like I could just > use any randomly generated key right? And maybe I if face should not > use that technique because that sessionID is also in the header where > it can be easily snooped right? So, what is a good technique for > generating the sessionID? To avoid duplicates I would just check the > sessionID table before returning the sessionID to the client and if it > is already in use I just call generateSessionID() again. So my > question is what should getSessionID() look like? > > I realize the recommended approach in the LoginSecurityFAQ is > controversial and I've already read all that debate so I'm not really > interested in more of that. I just need specific help regarding these > questions assuming I am doing what is recommended in the FAQ. > > Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---
LoginSecurityFAQ and sessionID/tokens
I am implementing user logins and authentication using the model presented in the login security FAQ. In particular I plan on manually maintaining a table of {sessionID,User,timeout} values for each active session and not using the normal servlet session functionality. So, my question is, where do I get the ID that is returned to the client? I know that I can get one from the servlet session using HttpServletRequest.getSession().getid() but it seems like I could just use any randomly generated key right? And maybe I if face should not use that technique because that sessionID is also in the header where it can be easily snooped right? So, what is a good technique for generating the sessionID? To avoid duplicates I would just check the sessionID table before returning the sessionID to the client and if it is already in use I just call generateSessionID() again. So my question is what should getSessionID() look like? I realize the recommended approach in the LoginSecurityFAQ is controversial and I've already read all that debate so I'm not really interested in more of that. I just need specific help regarding these questions assuming I am doing what is recommended in the FAQ. Thanks in advance for any help. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---