Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 684
  • Last Modified:

Persist Login / remember me / Auto Login

Hi All,
    I have written a jsp login page that accepts login and password from the user. Once the user is authenticated, I put some information the related User Class in the Session and use it throughout application. If on access to a page, we find that there is no user class in the session, we send the user to the login page.
    Now, I want to put "remember me" option on the login page. If a user selects a checkbox, he should "never" be asked for login again. Although I can figure out how to do it using cookies and database, I do not want to reinvent the wheel.
    I have the following requirements:
    1. It should be database independent
    2. It should be webserver/appserver independent
    3. It should be quite secure.

    Can anyone point me to a good reference source or implementation? Or is there a standard way of doing it?

Cheers,
Ajay
0
adwiv
Asked:
adwiv
2 Solutions
 
kennethxuCommented:
you don't have to deal with database.

basically, in you login page, you detect if username/password(encrypted) cookie exists? if it is, extract them and use that username and password to submit the login page using javascript, before the page even have a chance to display it.

in the place that you validate a user, you need to take care of the password that is from cookie and decrypt it. if the remember me is enabled, send cookies contains username and encrypted password to browser, so next time you login page can use it.

>> 3. It should be quite secure.
using "remember me" is already not secure, it also depend on how strong the encryption you used to encrypt the password.

let me know if you have further enquiries.
0
 
adwivAuthor Commented:
By secure, I meant if someone copies/intercepts the cookie, it should not work. And a person should not be able to craft a cookie by himself. I think the problem two is solved by encrypting the cookie data.
Moreover I also wanted to disable more than one persistant logins. i.e. if someone log in from another machine with remember login set, his first cookie should be invalidated.

I am specifically looking for a good implemenation, whether it be in JSP or any other web language. This is such an important and often used thing, but I feel everyone his cooking his own.
0
 
cheekycjCommented:
try this:

create a login cookie that is an MD5 hash or a DES encryption or something similar of the combination of the user's login, user's password and the current IP address the user is using.  {proxy servers will cause problems for this]

A combination of that cookie, current session id.. should help you prevent users from copying the cookie and trying to use it for their own purposes.

CJ
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
cheekycjCommented:
We store the cookie value and session id in a DB and match against that.  Also check for invalidated sessions that way.

CJ
0
 
cheekycjCommented:
if you set secure cookies they are encrypted using SSL so that is an added step.  All of our login cookies and data is all set as Secure cookies so they are transmitted over SSL.

CJ
0
 
kennethxuCommented:
1. you can provent cookie data to be intercept from transmission (by SSL), but you cannot prevent copy cookie from HDD.
2. encrypt your cookie with ip address might help, but proxy can be a major problem and people can fake an ip.
3. you cannot use session id. because when user come back next time, he always get new session id.
4. using cookie is as secure as cookie is, it cannot be any more secure.
5. if you only allow use login from one place, again you'll have to work with ip.

conclusion: there is no perfect solution to your requirement exist.
0
 
girionisCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

- Split points between kennethxu and cheekycj

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

girionis
EE Cleanup Volunteer
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now