Reputation: 665
Java web application secured authorization via cookies
I have a java servlet web application. In the application I have two authorization logics: 1. Authorization via username and password - standart login via web form with username and password which user fills up. 2. Authorization via cookies. Once, user fills up username and password, and checks a checkbox 'remember me', after this he shouldn't enters username/password. I have a question about option number two (cookies). At the moment logic is: I check if user checked 'remember me', I get his username and password hash, and store it to the cookies. (Two cookies: username, password) But, I think that the way is not secured. Because somebody can steal the cookies and get access to the web app. Question is: what is the best secured way to authorized user via cookies? What should I store in the cookeis?
Upvotes: 2
Views: 309
Answers (2)
Reputation: 5587
First you want to use SSL/TLS for communicating with your server. You can purchase cheap certificates for your site, so don't sweat it. Even then you shouldn't store the username and password in a cookie, that's not safe since someone can hack their computer and retrieve their password, which isn't your problem but don't even get yourself involved in that mess and have it come back to bite you.
You typically create a random sessionid that expires after a certain amount of time, and insert it into your user table along with the current timestamp. That sessionid is what you store in the cookie and you check for it in the database each time they try to login with the cookie. If it's too old (you check the timestamp vs whatever length you decide) then you invalidate the sessionid and ask them to login with their username and password, thus creating a new sessionid.
There is more to it to prevent the cookie from being copied to another computer (you don't have to worry about it being copied over the wire, that's what SSL/TLS is for) like adding the ip address and browser to the cookie, and some other stuff but that might be overkill for what you are doing.
Upvotes: 1
Reputation: 2727
If you are using HTTPS (which you should be), no one can "steal" the cookies unless they get that information from the person's actual computer. Just make sure that once the user is logged in that they do not access the page with a normal HTTP request or your cookie data will be exposed.
Upvotes: 0
Related Questions
- Undestanding how secure/httponly cookie works for java applications
- Servlet authentication using sessions and cookies
- What is the best and easiest way to secure cookies
- Web application log in security implementation in maintaining sessions
- Implementing Spring Security with Java Client
- Avoid login in a java web app using cookies
- Login in web page with cookies in Java
- Java Web Authentication and Authorization
- Java Web App Security using Cookies
- HTTPS Authentication and Cookies via Java