4

Just wondering if my following authentication method is correct or not. Is there any pitfall or anything missing? Suggestions and discussions are very welcome.

1> User provide user name and password, and send to the server by RPC. Comparing with the hashed value stored in DB.

2> Assuming the user name and password are accurate, an Auth Token is saved in session. The auth token will be checked when accessing the servlets.

3> The user id (integer) is returned to the client by RPC onSuccess. The user id is saved in a static variable on the client side.

4> Whenever the user specific information is needed, the rpc call with the user id (the static variable) will be sent to the server for database query.

Thanks

Ming Leung
  • 385
  • 2
  • 13
  • Also take a look http://stackoverflow.com/questions/2974100/question-on-gwt-cookies-and-webpage-directing/2976062#2976062 – drafael Oct 02 '13 at 13:29

3 Answers3

2

You'd better return the token to client side, and verify token instead of user id. If user id is used, a user A is logged in, then another user can send request to server pretended to be user A. Your authentication method failed to protect data.

criszhao
  • 134
  • 6
2

You don't need to send a user id to the client. The server has already all information he need's to recognize the user.

This code snippet creates a session cookie, with session.getId() you get the content of it, which you should save to recognize the user:

HttpServletRequest request = this.getThreadLocalRequest();
HttpSession session = request.getSession(true);

Then when the user calls your Server, you just read back the session id.

HttpServletRequest request = this.getThreadLocalRequest();
HttpSession session = request.getSession(false);

With session.invalidate() you can destroy the session, it's also possible to store objects in the session.

The this.getThreadLocalRequest() only works in *Impl .

Akkusativobjekt
  • 2,005
  • 1
  • 21
  • 26
  • Yes, you are right. You can identify the session this way. But, I have a question about accessing the data in mysql. All the data has a column as user id. I need to query the relevant data by this user id. How can you associate the session id with the user id? – Ming Leung Sep 23 '13 at 19:28
  • You could map the session id to the user id in a new table. This would also keep the session id and the user id seperated. Also if the user id is always the same for one user, i would not recommend to store it in a session . – Akkusativobjekt Sep 23 '13 at 21:01
  • Yes, it is a better idea. So build a new table to associate the sessionId (variable) and the user id (constant). But, is there any pitfall to keep the userId as a static variable on the client side, since the session will be checked again when the servlet is visited? – Ming Leung Sep 23 '13 at 21:44
  • What advantage do you exspect when the user id is stored in the client ? Also if the user press f5 , the static variable will be reseted. – Akkusativobjekt Sep 25 '13 at 07:57
0

you quoted

3> The user id (integer) is returned to the client by RPC onSuccess. The user id is saved in a static variable on the client side.

If a user refreshes his page, the value that is stored on the client side static field will be reset, right? in that case will the session ends? and user will be prompted for login again?

Vikky
  • 16
  • 1