开发者

What's the best approach to security for a website?

I'm writing a GWT application, and I've been asked to implement the user management portion of the website. I know a little bit about salting, hashing, encry开发者_运维问答pting, and user tokens, but I've never read any books or studied papers on the subject.

I'm planning on doing a stateless implementation which means keeping user identifiers and submitting them to the server on every request. No server-side session data will be used. I'm looking at Apache Shiro, and I like the low level of integration so that I don't need to hook up to complex frameworks.

My biggest concern is with having a user token that doesn't expire. If I give them a token and they never log off, then I want the token to persist and be valid so that they can leave the web browser open overnight, and not have any session problems.

Does this plan leave the site vulnerable?


There is always some state that you'll have to keep on the servers if you want to perform any kind of user login. The only question is: Where does that state reside?

  1. In the application server or
  2. In the database (or maybe some other storage)

Obviously, the user name and password will be saved in the database. A session token is usually kept in the application server's memory - but it doesn't have to be. You could just as well save it in the database.

Because your implementation is stateless, with your current solution you'll have to retrieve the user name and password from the database for every request. You could easily change this to retrieve a token and timestamp instead. The only significant change is, that there may be multiple sessions per user, so you'll need a 1:N relation for users/tokens.


First:

If you want to write secure web pages read the OWASP Top Ten. This is comprehensive summary of most web applications vulnerabilities.

Second:

The main problem with your solution is the expiriation time of that token. If attacker will find out its value he will be able to impersonate real user for a long time. Also it is vulnerable for a brute force attack, when attacker will try to guess a token value. It would be wise to ask the real user for a password once in a few days and then change the token value.


I'm planning on doing a stateless implementation which means keeping user identifiers and submitting them to the server on every request. No server-side session data will be used. I'm looking at Apache Shiro, and I like the low level of integration so that I don't need to hook up to complex frameworks.

What happens when I copy someone's cookie?

What happens when I decipher the identifier and change it? (is it a int value?)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜