[ale] User authentication in web app

Chris Fowler cfowler at outpostsentinel.com
Tue Mar 16 07:49:38 EST 2004 

I'm trying to determine the best way to do user auth in a web
application.  I've not done this yet inside of servlets.  I've done it
within our CGI programs that were all written in C.

In the past all users were stored in our special password system.  This
was on an embedded machine.  I used getpwnam() to get user data and then
I would get ACL data.  That is just the details.  To track users I would
auth their password against the one in the passwd system using one way
encryption.  I then took the one way encrypted string and added it to a
cookie.  The cookie data was 128-bit encrypted.  Every time the user
would access a page I would then re-authenticate them with that one way
encrypted password that they entered on the login page.  If there was no
match then I would redirect them to the login page.  The reason I did
this was in the condition that the administrator changed their password
or rights in between pages.  This was the only way I could think of how
to guarantee they had privs to the site.

I want to do a similar thing in the webapp.  I plan on using a table in
our database to store user accounts for the application.  So during the
login phase I'll get their password and do a select on that table.  I
could simply use the password() function in mysql like this:

select * from users where PASSWORD like PASSWORD('value');

If I get a row then obviously the password matched.  Is this the correct
thing to do?

Next question I have is on session tracking.  I can then use the servlet
session API and then add this encrypted string to the cookie.  Every
time the user access a page I can then do this:


select * from users where PASSWORD like PASSWORD('value');

If I get a match then I know the user is good.  Otherwise I need to
redirect them to the login servlet.

This is the only way I can guarantee they have access between each page.

Is my solution a good solution or provides too much overhead?  I want to
keep good track of users and make sure there are no loop holes in the
security system.

Thanks,
Chris

More information about the Ale mailing list