adwiv
asked on
Persist Login / remember me / Auto Login
Hi All,
I have written a jsp login page that accepts login and password from the user. Once the user is authenticated, I put some information the related User Class in the Session and use it throughout application. If on access to a page, we find that there is no user class in the session, we send the user to the login page.
Now, I want to put "remember me" option on the login page. If a user selects a checkbox, he should "never" be asked for login again. Although I can figure out how to do it using cookies and database, I do not want to reinvent the wheel.
I have the following requirements:
1. It should be database independent
2. It should be webserver/appserver independent
3. It should be quite secure.
Can anyone point me to a good reference source or implementation? Or is there a standard way of doing it?
Cheers,
Ajay
I have written a jsp login page that accepts login and password from the user. Once the user is authenticated, I put some information the related User Class in the Session and use it throughout application. If on access to a page, we find that there is no user class in the session, we send the user to the login page.
Now, I want to put "remember me" option on the login page. If a user selects a checkbox, he should "never" be asked for login again. Although I can figure out how to do it using cookies and database, I do not want to reinvent the wheel.
I have the following requirements:
1. It should be database independent
2. It should be webserver/appserver independent
3. It should be quite secure.
Can anyone point me to a good reference source or implementation? Or is there a standard way of doing it?
Cheers,
Ajay
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We store the cookie value and session id in a DB and match against that. Also check for invalidated sessions that way.
CJ
CJ
if you set secure cookies they are encrypted using SSL so that is an added step. All of our login cookies and data is all set as Secure cookies so they are transmitted over SSL.
CJ
CJ
1. you can provent cookie data to be intercept from transmission (by SSL), but you cannot prevent copy cookie from HDD.
2. encrypt your cookie with ip address might help, but proxy can be a major problem and people can fake an ip.
3. you cannot use session id. because when user come back next time, he always get new session id.
4. using cookie is as secure as cookie is, it cannot be any more secure.
5. if you only allow use login from one place, again you'll have to work with ip.
conclusion: there is no perfect solution to your requirement exist.
2. encrypt your cookie with ip address might help, but proxy can be a major problem and people can fake an ip.
3. you cannot use session id. because when user come back next time, he always get new session id.
4. using cookie is as secure as cookie is, it cannot be any more secure.
5. if you only allow use login from one place, again you'll have to work with ip.
conclusion: there is no perfect solution to your requirement exist.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
- Split points between kennethxu and cheekycj
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
girionis
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
- Split points between kennethxu and cheekycj
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
girionis
EE Cleanup Volunteer
ASKER
Moreover I also wanted to disable more than one persistant logins. i.e. if someone log in from another machine with remember login set, his first cookie should be invalidated.
I am specifically looking for a good implemenation, whether it be in JSP or any other web language. This is such an important and often used thing, but I feel everyone his cooking his own.