LoginSecurityFAQ is here BTW (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ)
On Jun 10, 12:28 pm, eags <[email protected]> wrote: > I found one discussion with the author of the LoginSecurityFAQ where > they ask this exact question and he does state that using a random > sessionID other than the one automatically included in the http header > generated by the servlet is best. (http://groups.google.com/group/ > Google-Web-Toolkit/browse_thread/thread/ > 208f0144bc686114/842ba54ffa4f9265?lnk=gst&q=user+authentication+login > +sessions#842ba54ffa4f9265) > > As for how to generate the token I'm thinking: > > String sessionID = UUID.randomUUID().toString(); > > Any feedback is great as I'm really new to this stuff. > > Thanks. > > On Jun 10, 10:14 am, eags <[email protected]> wrote: > > > I am implementing user logins and authentication using the model > > presented in the login security FAQ. In particular I plan on manually > > maintaining a table of {sessionID,User,timeout} values for each active > > session and not using the normal servlet session functionality. > > > So, my question is, where do I get the ID that is returned to the > > client? I know that I can get one from the servlet session using > > HttpServletRequest.getSession().getid() but it seems like I could just > > use any randomly generated key right? And maybe I if face should not > > use that technique because that sessionID is also in the header where > > it can be easily snooped right? So, what is a good technique for > > generating the sessionID? To avoid duplicates I would just check the > > sessionID table before returning the sessionID to the client and if it > > is already in use I just call generateSessionID() again. So my > > question is what should getSessionID() look like? > > > I realize the recommended approach in the LoginSecurityFAQ is > > controversial and I've already read all that debate so I'm not really > > interested in more of that. I just need specific help regarding these > > questions assuming I am doing what is recommended in the FAQ. > > > Thanks in advance for any help. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
