Geek Answers Handbook

Why remember me a token?

During the implementation of the remember me function for the website, why do we complicate things and have a token called a token, with the exception of the session token.

As I understand it, remember that the token can be used to log into the system and create a new session token, while the session token lasts only a few minutes or until the user closes the browser. Why can't we extend the validity of the session token itself to the desired time by which we want the user to be registered?

I need to implement this functionality in a Flex application working on tomcat, and I wonder if I need to remember tokens

Also, is it possible to get this functionality out of the box inside tomcat?

+7
source share
5 answers

1) Sessions usually contain a whole bunch of data other than the username. Therefore, if you just set the expiration date to several weeks or months, as I recall the token, you would probably encounter performance problems on the server due to thousands or millions of heavy session objects.

2) Remember that tokens are the client side, not the server side. This puts all the storage requirements in a user browser, which is the best solution for simple data such as usernames. If you used the session identifier associated with objects in memory on the server, then every time you restart the server or server process (for example, to deploy an updated application), all those session objects will be lost.

+11
source

Since, by definition, a session ends as soon as the user closes his browser. This way, the session cookie expires as soon as the browser is closed.

Since the purpose of remembering is to support the user in all sessions, the information stored in the cookie is stored in the browser restart.

To get this functionality out of the box, look at a framework like Spring Security .

+3
source

Remember-me cookies usually store a username and some token. Both are used for user authentication. Take a look at the Improved Persistent Login Cookie , which describes the process quite well.

A session cookie is used to store the session identifier on the client, which allows the server to recognize the session loading session data associated with the session.

So remember that cookies have a longer lifespan (usually days or weeks) than session cookies. Session cookies usually end after a few minutes or when the browser is closed.

At the top of my head, there are several reasons why two different cookies are used:

  • If only a persistent keep-me cookie is used, the server will need to authenticate the user with each request. When an additional session cookie is used, the server should not do this while the session is valid. Of course, the session identifier can be stored in the pump cookie, but what does this mean?
  • From a coding point of view, it is better to reuse the existing session mechanism. Why reinvent the wheel and not just add a feature (cookie authentication) that can be easily turned on / off?
+1
source

People correctly said that the session contains several objects with a heavy weight. If there are enough users on your system, if you try to save them in the finite amount of memory available on the server, you will eventually encounter the server with the maximum amount of memory.

I worked on the project once when updating the production code had a memory leak. It was a J2EE project (yes J2EE, not Java EE). When a user logged in to verify his account with this telephone company, the user session was not correctly released from memory (I cannot remember the reason, but this is definitely a problem). This error mimics what you ask for intent.

The server continued to fail. Therefore, we put a profiler on it. We will ensure that memory usage increases during the day until it is completed and ended after the application server crashes. We added memory and increased the tuning of the VM memory. I told them it was a memory leak, but because I was not a “server expert” for $ 200 an hour, people didn’t want to believe it, because the people who were there still believed that The garbage collector was powerful, not just very good.

Two days later (this affected the “view your account” system, and not the main business system, that is, it did not have the same load or memory requirements, even if the servers had a lot of hardware memory), they hired a couple $ 200 per hour consultants who informed them every other day that they had the aforementioned memory leak. This was fixed, and everything was fine ... minus the fees of the consultants.

In any case, this is a cancellation: if you do not end user sessions when users log out or close their browser (session time), you risk maximizing your memory and crashing your servers, especially if your site or application has a significant number of users. As others have mentioned, it is best to use lightweight tokens / cookies.

0
source

The reason why we should use a different cookie than the sessionId cookie in order to remember the user is not because the sessions should end quickly or you will run into server performance problems.

Jetty (and probably many other servlet containers) has a feature that automatically squeezes out idle sessions from memory to a disk or database, which IMHO eliminates all the above justifications for performance problems associated with storing heavyweight sessions in memory.

The reason for using another cookie is that remember that I have to remember the user even after the session expires. Thus, if the user session has expired, another cookie is used to authenticate the user without having to enter a password, which obviously makes phishing attempts less likely. Although there are drawbacks, for example, if someone accesses your laptop and steals your authentication tokens, you can impersonate you, unless the server takes even more security measures to bind the token to your client and location.

In short, remember that I am an authentication mechanism, not a substitute for cookies.

I think it’s good to have long session expiration dates if they are stored out of memory. And as soon as they expire, just ask for the password. Many websites offer this feature as “Remember me for 30 days,” which is achieved only with a long cookie session, nothing else.

0
source

More articles:


All Articles