Reputation: 18639
Tracking whether user is logged-in in a stateless web application?
If I wanted to enable users to log in and out, what would be some good patterns of doing this in a stateless application?
Also, what are the top security concerns? I am thinking of doing this in Java.
Thanks, Alex
Upvotes: 0
Views: 937
Answers (1)
Reputation: 51
If you cannot store session data in user's browser (via cookie), this is probably very hard to achieve.
I'm not sure what you mean by "stateless" but if storing session key in user's browser is not possible, you can always send this "key" in the HTML you produce. This "key" will be something you randomly generate (random enough that nobody can easily guess it). The "key" is only known by you and the user. Whenever the user requests a new page, he needs to "POST" or "GET" this key as HTTP parameter if the user wants to be identified as logged in.
Security concern for this is that if you do this over non-secure (http), the network can easily be sniffed. If you do it over SSL (https) it is probably more secure.
Upvotes: 2
Related Questions
- How stateless server can keep session state on server side?
- How to check whether a user is logged in or not in Servlets?
- Using a Stateful Session Bean to track an user's session
- Check if user has an active session on another web application
- How to track if a user is logged in by session?
- How to check user is logged in or not in Java EE
- How can I avoid using server-side sessions for authentication in a Java webapp?
- how to detect if user is logged in to site from another browser?
- How to make sure a user is still logged in using Java Web
- Checking the user login