[ale] User authentication in web app

mainwizard at vei.net mainwizard at vei.net
Tue Mar 16 16:47:39 EST 2004


The correct way is to match the username=20

select * from users where USERNAME =3D 'value';

And if you get a match you then check that the password for that user mat=
ches the password supplied.

ed.

----- Original Message -----
From: Chris Fowler
Sent: 3/16/2004 7:47:20 AM
To: ajug-members at ajug.org;ale at ale.org
Subject: [ale] User authentication in web app

> I'm trying to determine the best way to do user auth in a web
> application.  I've not done this yet inside of servlets.  I've done it
> within our CGI programs that were all written in C.
>=20

> In the past all users were stored in our special password system.  This
> was on an embedded machine.  I used getpwnam() to get user data and the=
n
> I would get ACL data.  That is just the details.  To track users I woul=
d
> auth their password against the one in the passwd system using one way
> encryption.  I then took the one way encrypted string and added it to a
> cookie.  The cookie data was 128-bit encrypted.  Every time the user
> would access a page I would then re-authenticate them with that one way
> encrypted password that they entered on the login page.  If there was n=
o
> match then I would redirect them to the login page.  The reason I did
> this was in the condition that the administrator changed their password
> or rights in between pages.  This was the only way I could think of how
> to guarantee they had privs to the site.
>=20
> I want to do a similar thing in the webapp.  I plan on using a table in
> our database to store user accounts for the application.  So during the
> login phase I'll get their password and do a select on that table.  I
> could simply use the password() function in mysql like this:
>=20
> select * from users where PASSWORD like PASSWORD('value');
>=20
> If I get a row then obviously the password matched.  Is this the correc=
t
> thing to do?
>=20
> Next question I have is on session tracking.  I can then use the servle=
t
> session API and then add this encrypted string to the cookie.  Every
> time the user access a page I can then do this:
>=20
>=20
> select * from users where PASSWORD like PASSWORD('value');
>=20
> If I get a match then I know the user is good.  Otherwise I need to
> redirect them to the login servlet.
>=20
> This is the only way I can guarantee they have access between each page=
=2E
>=20
> Is my solution a good solution or provides too much overhead?  I want t=
o
> keep good track of users and make sure there are no loop holes in the
> security system.
>=20
> Thanks,
> Chris
>=20
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>=20






This message has been scanned for viruses by the VEI Internet
Automatic Email Spam and Virus Scanner, and is believed to be free of spa=
m or viruses.
Please report spam to spamtrap at vei.net. If you would like 98.9 % spam blo=
cked from your
E-mail then go to VEI Internet for details. Anti-spam/Anti-virus is FREE =
with every account.=20


http://www.vei.net/
mailtospamtrap at vei.net



More information about the Ale mailing list