0

I'm developing a web application and I'm having difficulties in implementing a log in feature. In my application, a user has to log in to add a new item(row to a database and corresponding user id is added to the newly created row). Also, the user can navigate to different pages in the application, which all requires the user to be logged in. So, once the log in is successful the user id can be stored in a cookie file to share it with all pages. But I realized that, an user after using his credentials to log in, can then alter the cookie file and change user id in the cookie to someone else's and then view confidential data of the another person. How to prevent this type of attack ?

PS: I'm using servlets and JSP for my app.

user3388324
  • 572
  • 5
  • 18

1 Answers1

1

An approach would be to, instead of storing the user id in a cookie, store an authentication token in the session cookie; this token needs to be unique per user and very difficult to guess. For this you could hash and salt the user id to generate the authentication token.

For extra security, make sure that the token expires at the end of the session or after the user logs out.

It would also help to do this over HTTPS, so that your traffic is encrypted.

Here is a very good guide to web based authentication.

Community
  • 1
  • 1
Jose B
  • 2,030
  • 2
  • 19
  • 17
  • If I want to add the details about the user who added the item to the db, I need the user id anyway. Can you please explain how does an authentication token can be help in uniquely identifying the user who adds the fields and not just help in identifying if the user has logged in ? – user3388324 Mar 30 '14 at 08:28
  • 1
    Sure, what you need is a way to store, server side, the authentication token along with the user id (e.g. a session table). This way every time there is a request, you can verify if there is an authentication token in the cookies and use it to retrieve the user id from your server side storage. – Jose B Mar 31 '14 at 08:10
  • Is there reference to specific source where it states technique's adavantages or downsides ? – user3388324 Mar 31 '14 at 09:11
  • Hmm, try this [resource](http://unixpapa.com/auth/homebuilt.html#sec3.3), read section 3.3.2.2, the article is a bit outdated but the general principles of the technique are still valid. Otherwise you might want to try a web search. Cheers! – Jose B Mar 31 '14 at 10:55