[ale] User authentication in web app

Jerald Sheets jsheets at yahoo.com
Tue Mar 16 16:51:35 EST 2004 

Hey Ed...

Your "From" in the header is showing up as "".

You might want to put your proper name in the "From"
designation in Pine (or Outlook, or OE, etc. etc.)

--js


---  <mainwizard at vei.net> wrote:
> 
> The correct way is to match the username 
> 
> select * from users where USERNAME = 'value';
> 
> And if you get a match you then check that the
> password for that user matches the password
> supplied.
> 
> ed.
> 
> ----- Original Message -----
> From: Chris Fowler
> Sent: 3/16/2004 7:47:20 AM
> To: ajug-members at ajug.org;ale at ale.org
> Subject: [ale] User authentication in web app
> 
> > I'm trying to determine the best way to do user
> auth in a web
> > application.  I've not done this yet inside of
> servlets.  I've done it
> > within our CGI programs that were all written in
> C.
> > 
> 
> > In the past all users were stored in our special
> password system.  This
> > was on an embedded machine.  I used getpwnam() to
> get user data and then
> > I would get ACL data.  That is just the details. 
> To track users I would
> > auth their password against the one in the passwd
> system using one way
> > encryption.  I then took the one way encrypted
> string and added it to a
> > cookie.  The cookie data was 128-bit encrypted. 
> Every time the user
> > would access a page I would then re-authenticate
> them with that one way
> > encrypted password that they entered on the login
> page.  If there was no
> > match then I would redirect them to the login
> page.  The reason I did
> > this was in the condition that the administrator
> changed their password
> > or rights in between pages.  This was the only way
> I could think of how
> > to guarantee they had privs to the site.
> > 
> > I want to do a similar thing in the webapp.  I
> plan on using a table in
> > our database to store user accounts for the
> application.  So during the
> > login phase I'll get their password and do a
> select on that table.  I
> > could simply use the password() function in mysql
> like this:
> > 
> > select * from users where PASSWORD like
> PASSWORD('value');
> > 
> > If I get a row then obviously the password
> matched.  Is this the correct
> > thing to do?
> > 
> > Next question I have is on session tracking.  I
> can then use the servlet
> > session API and then add this encrypted string to
> the cookie.  Every
> > time the user access a page I can then do this:
> > 
> > 
> > select * from users where PASSWORD like
> PASSWORD('value');
> > 
> > If I get a match then I know the user is good. 
> Otherwise I need to
> > redirect them to the login servlet.
> > 
> > This is the only way I can guarantee they have
> access between each page.
> > 
> > Is my solution a good solution or provides too
> much overhead?  I want to
> > keep good track of users and make sure there are
> no loop holes in the
> > security system.
> > 
> > Thanks,
> > Chris
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> > 
> 
> 
> 
> 
> 
> 
> This message has been scanned for viruses by the VEI
> Internet
> Automatic Email Spam and Virus Scanner, and is
> believed to be free of spam or viruses.
> Please report spam to spamtrap at vei.net. If you would
> like 98.9 % spam blocked from your
> E-mail then go to VEI Internet for details.
> Anti-spam/Anti-virus is FREE with every account. 
> 
> 
> http://www.vei.net/
> mailtospamtrap at vei.net
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com

More information about the Ale mailing list