[ale] User authentication in web app
George Carless
kafka at antichri.st
Tue Mar 16 09:11:01 EST 2004
> I want to do a similar thing in the webapp. I plan on using a table in
> our database to store user accounts for the application. So during the
> login phase I'll get their password and do a select on that table. I
> could simply use the password() function in mysql like this:
>
> select * from users where PASSWORD like PASSWORD('value');
You should key against both the username and the password. Also, I'd
recommend using something like md5() rather than password(), for stronger
passwords.. and it's probably best to create the md5 sum within your
application server rather than at the database, to avoid passing
unencrypted passwords around. And don't use "like" on a known value; use
"=".
> Next question I have is on session tracking. I can then use the servlet
> session API and then add this encrypted string to the cookie. Every
> time the user access a page I can then do this:
> select * from users where PASSWORD like PASSWORD('value');
I would think you would be better off storing a table of known valid
sessions, keyed perhaps against user id, session id, IP address. If you
absolutely must store the password in the cookie (which I don't think you
should), make sure you're storing a hash of it and NOT anything that can
be used to determine the original password. And to be honest I would
probably say, with my usual disclaimer that I'm not trying to be rude (I'm
just British) that if you're needing to ask these questions then you're
probably not *that* concerned about mega security beyond good basic
precautions, in which case you might be as well off just checking against
a userid/sessionid/ip address match. I can't see any gain from storing
the password in the cookie, except insomuch as it provides another key to
check against to prevent people from faking/guessing session variables.
But you should probably store some other arbitrary value if you're looking
for that, anyhow.
If anyone disagrees massively with me then please chip in, especially
since my own session handling routines are gradually becoming a
spaghetti-like mess of code and could probably use a rework some time
soon.
Cheers,
--George
More information about the Ale
mailing list