?
Solved

Persist Login / remember me / Auto Login

Posted on 2003-02-22
8
Medium Priority
?
682 Views
Last Modified: 2008-02-01
Hi All,
    I have written a jsp login page that accepts login and password from the user. Once the user is authenticated, I put some information the related User Class in the Session and use it throughout application. If on access to a page, we find that there is no user class in the session, we send the user to the login page.
    Now, I want to put "remember me" option on the login page. If a user selects a checkbox, he should "never" be asked for login again. Although I can figure out how to do it using cookies and database, I do not want to reinvent the wheel.
    I have the following requirements:
    1. It should be database independent
    2. It should be webserver/appserver independent
    3. It should be quite secure.

    Can anyone point me to a good reference source or implementation? Or is there a standard way of doing it?

Cheers,
Ajay
0
Comment
Question by:adwiv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Accepted Solution

by:
kennethxu earned 200 total points
ID: 7999640
you don't have to deal with database.

basically, in you login page, you detect if username/password(encrypted) cookie exists? if it is, extract them and use that username and password to submit the login page using javascript, before the page even have a chance to display it.

in the place that you validate a user, you need to take care of the password that is from cookie and decrypt it. if the remember me is enabled, send cookies contains username and encrypted password to browser, so next time you login page can use it.

>> 3. It should be quite secure.
using "remember me" is already not secure, it also depend on how strong the encryption you used to encrypt the password.

let me know if you have further enquiries.
0
 
LVL 2

Author Comment

by:adwiv
ID: 8001818
By secure, I meant if someone copies/intercepts the cookie, it should not work. And a person should not be able to craft a cookie by himself. I think the problem two is solved by encrypting the cookie data.
Moreover I also wanted to disable more than one persistant logins. i.e. if someone log in from another machine with remember login set, his first cookie should be invalidated.

I am specifically looking for a good implemenation, whether it be in JSP or any other web language. This is such an important and often used thing, but I feel everyone his cooking his own.
0
 
LVL 19

Assisted Solution

by:cheekycj
cheekycj earned 200 total points
ID: 8003753
try this:

create a login cookie that is an MD5 hash or a DES encryption or something similar of the combination of the user's login, user's password and the current IP address the user is using.  {proxy servers will cause problems for this]

A combination of that cookie, current session id.. should help you prevent users from copying the cookie and trying to use it for their own purposes.

CJ
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:cheekycj
ID: 8003757
We store the cookie value and session id in a DB and match against that.  Also check for invalidated sessions that way.

CJ
0
 
LVL 19

Expert Comment

by:cheekycj
ID: 8003761
if you set secure cookies they are encrypted using SSL so that is an added step.  All of our login cookies and data is all set as Secure cookies so they are transmitted over SSL.

CJ
0
 
LVL 14

Expert Comment

by:kennethxu
ID: 8005974
1. you can provent cookie data to be intercept from transmission (by SSL), but you cannot prevent copy cookie from HDD.
2. encrypt your cookie with ip address might help, but proxy can be a major problem and people can fake an ip.
3. you cannot use session id. because when user come back next time, he always get new session id.
4. using cookie is as secure as cookie is, it cannot be any more secure.
5. if you only allow use login from one place, again you'll have to work with ip.

conclusion: there is no perfect solution to your requirement exist.
0
 
LVL 35

Expert Comment

by:girionis
ID: 9990267
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Split points between kennethxu and cheekycj

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

girionis
EE Cleanup Volunteer
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introducing Priority Question, our latest feature.
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question