I am implementing user logins and authentication using the model
presented in the login security FAQ. In particular I plan on manually
maintaining a table of {sessionID,User,timeout} values for each active
session and not using the normal servlet session functionality.
So, my question is, where do I get the ID that is returned to the
client? I know that I can get one from the servlet session using
HttpServletRequest.getSession().getid() but it seems like I could just
use any randomly generated key right? And maybe I if face should not
use that technique because that sessionID is also in the header where
it can be easily snooped right? So, what is a good technique for
generating the sessionID? To avoid duplicates I would just check the
sessionID table before returning the sessionID to the client and if it
is already in use I just call generateSessionID() again. So my
question is what should getSessionID() look like?
I realize the recommended approach in the LoginSecurityFAQ is
controversial and I've already read all that debate so I'm not really
interested in more of that. I just need specific help regarding these
questions assuming I am doing what is recommended in the FAQ.
Thanks in advance for any help.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
