Geek Answers Handbook

Is this a legitimate Remember Me implementation for my web application?

I am trying to add the Remember Me feature in my web application to allow the user to stay on between browser restarts. I think I got most of this. I use the Google engine for the backend, which allows me to use Java servlets. Here is some kind of pseudo code to demonstrate:

public class MyServlet {
    public void handleRequest() {
        if (getThreadLocalRequest().getSession().getAttribute("user") != null) {
            // User already has session running for them.
        }
        else {
            // No session, but check if they chose 'remember me' during 
            // their initial login, if so we can have them 'auto log in' 
            // now.
            Cookie[] cookies = getThreadLocalRequest().getCookies();
            if (cookies.find("rememberMePlz").exists()) {
                // The value of this cookie is the cookie id, which is a 
                // unique string that is in no way based upon the user 
                // name/email/id, and is hard to randomly generate.
                String cookieid = cookies.find("rememberMePlz").value();

                // Get the user object associated with this cookie id from 
                // the data store, would probably be a two-step process like:
                //
                // select * from cookies where cookieid = 'cookieid';
                // select * from users where userid = 'userid fetched from above select';
                User user = DataStore.getUserByCookieId(cookieid);
                if (user != null) {
                    // Start session for them.
                    getThreadLocalRequest().getSession()
                        .setAttribute("user", user);
                }
                else {
                    // Either couldn't find a matching cookie with the 
                    // supplied id, or maybe we expired the cookie on 
                    // our side or blocked it.
                }
            }
        }
    }
}

// On first login, if user wanted us to remember them, we'd generate 
// an instance of this object for them in the data store. We send the 
// cookieid value down to the client and they persist it on their side 
// in the "rememberMePlz" cookie.
public class CookieLong {
    private String mCookieId;
    private String mUserId; 
    private long mExpirationDate;
}

Well, all of this makes sense. The only frightening thing is what happens if someone finds out the value of cookies? An attacker can set this cookie in his browser and gain access to my site and, in effect, log in as a user associated with it!

, , cookie , - cookie - cookie cookie, , ?

, , cookie, , , , + cookieid DataStore.

, . , - , ,

+2
1

- , , - cookie? cookie , , , !

. "" , jsessionid - JSP/Servlet PHPSESSID - PHP .. , . cookie , cookie ( DB PK/UK), ( 255 ), ( , MD5) ASCII ( 0x20-0x7E).

" IP-", IP-. HttpServletRequest#getRemoteAddr().

+1

More articles:


All Articles