Geek Answers Handbook

GWT: Storing the session identifier in a cookie, and then what?

I am currently building a site using GWT while on AppEngine. I do this with my own logins that I do (I know that Google provides something with GWT, but I need my login system), and I have been trying to figure out sessions for a long time. I found several tutorials, and one of the sites I read was http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

In the section "How to remember logins" there is a section. I know how to get the session ID and store it on the client in a cookie using an RPC call. What I do not understand is, in the end, after a day or so, the user returns, and I have to get the session ID from the cookie and send it back to the server. What should I do on the server in order to reliably evaluate whether the session identifier is legal and get all the necessary information about the user?

Additional questions: 1. What will change the session identifier? 2. What to do if the user was on a laptop and the user went somewhere else. Will it still be safe to log in without re-entering his username and password?

Thanks!

~ Scott

+7
session gwt gwt-rpc
source share
2 answers

A similar question: the question of setting up GWT, Cookies and a web page .
One important thing you should remember: do not rely solely on cookies - pass the session identifier / token in the request payload and compare it with the server-side cookie value. This will prevent XSRF attacks. This is what you should worry about.

The policy on how to handle session identifiers depends on how seriously you take security in your application and what type of application it is. For example, you can log in with the same token on GMail from different IP addresses - I suppose they resolved this, because the common thing is that the user's IP address changes in sessions. However, they have added a feature that allows you to see which IP addresses you have logged into recently. And do not forget about users with dynamic IP addresses (quite a large number). If you keep track of tokens and IP addresses, you basically prevent these users from conducting a session between sessions.

What should I do on the server so that the Session ID is still legal and pulls up all the necessary information about the user?

You must keep track of login IDs / pairs in your database.

What will change the session id?

Either it expires, or the user tries to log in with a token that is not associated with their IP. You can also add your own rules - for example, the number of logins, etc. For added security, you can generate a new session identifier / token for each new login / session (the user authenticates with the old token, the server checks its validity and sends a new token back to the user, which he / she should use from now on).

+8
source share

To remember logins, you need to securely generate a unique session identifier. This is usually placed in a cookie. I would recommend using a framework that makes session cookies for you. The wrong decision may leave your site open to abuse. The following issues should be considered:

  • You need to worry about cookie theft. The IP address of the user must be encoded in the session identifier or associated with the session identifier. Check the IP address every time you access the page.
  • Make sure your logins are in encrypted sessions. Otherwise, you open the credentials in clear text on the network.
  • How long does the session last. They must time out after the deadline. It may be several hours or days.
  • Remember that a different cookie must have different functionality. It should contain something that can be used to indicate the user. Depending on your security requirements, this may be an encrypted value. This cookie may have a longer timeout.

Answers to your additional questions:

  • Nothing on the client side will likely change the session identifier. Session ID must be restored at every login.
  • Depending on how secure the session identifier is, they may need to log in. Secure session cookies often encode an IP address to prevent theft of cookies. If so, the laptop user will need to log in again.
+1
source share

More articles:


All Articles