Isn't that insecure regarding CSFR? http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.php#CSRF I must admit that I am a noob regarding security of Web-Apps, so please anyone correct me, if I misunderstood.
Another question is: why don't you try to use the passwordmanager of the browsers? this would even work, if cookies are disabled On Jun 18, 11:30 am, Thomas Broyer <[email protected]> wrote: > On 18 juin, 06:13, markww <[email protected]> wrote: > > > > > Hi, > > > I have to implement an "auto login" feature for my web app. It seems > > the best way to do this is to use cookies. My server will have two > > tables to support this: > > > // users > > userid | hashed_password > > > // sessions > > session_id | userid | session > > > When a user visits my website, they can choose "login automatically". > > The first time they authenticate, they'll be entering in their > > username and password manually. When my server gets the authentication > > request, it sees if they want to use auto-login. If so, I generate a > > random hash for them and enter it into the sessions table: > > > // users > > userid | hashed_password > > 101 xyz > > > // sessions > > session_id | userid | session > > 999 101 abcdefg > > > The server replies back with the session string, "abcdefg". This > > string is saved to a cookie on the user's machine through my app: > > > Cookie.set("username", "myname"); > > Cookie.set("session", abcdefg"); > > > Now the user closes the browser, and comes back in a month. They visit > > my site. It checks if the above cookies are set. If so, it immediately > > calls a different authentication script, passing only the username and > > session value: > > > onModuleLoad() > > { > > if (autoLoginCookiePresent() { > > autoAuthenticate("myname", "abcdefg"); > > } > > else { > > presentLoginView(); > > } > > } > > > My server still has that session, and considers their login a success. > > The same session value persists until the user explicitly logs out on > > that machine. At that point I could delete the local cookie, and wipe > > that session record from my server database. > > > Is the above a reasonable approach.for auto-login? > > That's more or less what we're doing, so I'd say yes ;-) > > (our app is backed with Alfresco, which manages those tickets (session > id) for us, but our client code is more the less the one outlined > above) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
