Auto-login

[markww]

Hi,

I have to implement an "auto login" feature for my web app. It seems
the best way to do this is to use cookies. My server will have two
tables to support this:

  // users
  userid | hashed_password

  // sessions
  session_id | userid | session

When a user visits my website, they can choose "login automatically".
The first time they authenticate, they'll be entering in their
username and password manually. When my server gets the authentication
request, it sees if they want to use auto-login. If so, I generate a
random hash for them and enter it into the sessions table:

    // users
    userid | hashed_password
       101       xyz

    // sessions
    session_id | userid | session
         999            101     abcdefg

The server replies back with the session string, "abcdefg". This
string is saved to a cookie on the user's machine through my app:

    Cookie.set("username", "myname");
    Cookie.set("session", abcdefg");

Now the user closes the browser, and comes back in a month. They visit
my site. It checks if the above cookies are set. If so, it immediately
calls a different authentication script, passing only the username and
session value:

    onModuleLoad()
    {
        if (autoLoginCookiePresent() {
           autoAuthenticate("myname", "abcdefg");
        }
        else {
            presentLoginView();
        }
    }

My server still has that session, and considers their login a success.
The same session value persists until the user explicitly logs out on
that machine. At that point I could delete the local cookie, and wipe
that session record from my server database.


Is the above a reasonable approach.for auto-login? I've pieced this
together from several posts in this forum, but want to make sure this
is the best way to do it. Is there a GWT wiki where we could post
these kinds of best practices?

Thanks
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---