0

I'm trying to set a cookie so that user can be automatically logged in.

I do not want to query DB for session string when authenticating cookies (basically I need to do that whenever most of my APIs are called, I want to make it faster)

the solution I found is to set a hash in the cookie and try to decrypt it when authenticating, if decryption is successful then log user in.

I am wondering what hashing method should I use? Do I just use a constant salt in my program and hash the userName with that salt, store the hashed userName and original userName in cookie, and try to match userName with decrypted hash upon authentication?

Since I am not familiar with hashing functions, can anyone kindly provide some suggestions on how should I do it in Java?

Matthew Yang
  • 605
  • 1
  • 13
  • 23

3 Answers3

1

I recommend you to use an unique token key generated for each session. For example, if a client once logged in from a computer, this token will be valid until the password is changed. Expiring a cookie is not completely secure...

You can also use session variable for a simple authentication. Once you set a session variable for an user, every time this user sends a request with this session id; your session variable will be reached for just this session id. Most of the platforms can also use DB for storing these variables for you.

Can Guney Aksakalli
  • 1,320
  • 1
  • 11
  • 24
  • yes..using a session variable is easy..the problem is that I do not want to query DB for authentication – Matthew Yang Mar 05 '13 at 15:59
  • Why don't you want to query database? Is there a overhead of querying database for every request or you don't want to use a database? If you don't configure session manager to work with a database, session variables are stored in process memory in server side by default. Indeed, you don't need a database for that case. – Can Guney Aksakalli Mar 06 '13 at 12:04
0

Two approaches:

1) Create your own authentication framework. In this case I recommend to put in a cookie an encrypted value of a username (I strongly not recommend to use hashing; also please do not put the user password value). For encryption please use AES-256 encryption with BouncyCastle: 256bit AES/CBC/PKCS5Padding with Bouncy Castle If your framework success to decrypt the cookie – the user is authenticated. If your framework cannot decrypt the cookie or the user is not exist - the user is not authenticated.

2) Please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html It is the great framework and solves a lot of authentication / authorization problems. Your problem is solved by the “RememberMe” feature: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me

Best regards,

Michael

Community
  • 1
  • 1
Michael
  • 10,063
  • 18
  • 65
  • 104
  • thanks but I can not use Spring, nor Hibernate.. for the example given in 1st section, how do I decrypt it if the salt is randomly generated? – Matthew Yang Mar 05 '13 at 16:14
  • Hi! You can generate salt per installation and store it in DB - in this case you will be able to use it for the cookie decryption. The example for the salt generation is listed here: http://stackoverflow.com/questions/2957513/how-to-use-bouncy-castle-lightweight-api-with-aes-and-pbe You can accept my answer if it fit your requirements. – Michael Mar 06 '13 at 09:24
0

I don't come from Java background, but your hash key should never be something exposed.

For example:- In your case UserName is key and one of the fellow developers who knows what mechanism you are using can break it down because name is something very common and known.

Don't know what the best way is but I have used UserID(GUID) which is not visible in UI.

Pranali Desai
  • 974
  • 1
  • 7
  • 22