Jean-Baptiste, Would it help to include in your RPC requests a message digest hash that includes the json-rpc sequence ID to make it non-replayable and async-friendly? All, please critique this approach.
My digest is hashed using openpgp.sha1.hex_sha1() in the OpenPGP contribution http://qooxdoo.org/contrib/project/crypto. The server calculates the same hash using sha1() in php. But the server is not stateless. It uses sessions/cookies and includes a session nonce in the digest. Regards, Bill -----Original Message----- From: Jean-Baptiste BRIAUD -- Novlog [mailto:j-b.bri...@novlog.com] Sent: Thursday, November 12, 2009 10:03 AM To: qooxdoo Development Subject: [qooxdoo-devel] authentication Hi the list, How do you manage authentication of user on stateless servers environment ? I have Java backend but don't want to use HTTP session on server side : I want to maintain servers stateless. (this is because it scale better, but the reason doesn't matter here). 1. Login So, I have a form to ask for login/pass to end-user, then it hash the pass and send login/hashedpass to the server. On server side, we can check that this end-user is authorized. 2. Using the server Now I send a request to do some business, how do you ensure that RPC request correspond to an authenticated end-user ? Questions : * Do you use a cookie ? If yes, what do you put in that cookie ? How do you check authentication on server side ? * Are you also doing something on client side with that cookie ? * Could that be as simple as copy/paste the cookie to another machine to bypass security ? How do you protect against that copy/past attack ? * Don't forget that due to good qooxdoo RPC design, requests are individually asynchronous and sent in parallel, and we are using that heavily. I add that because apparently, adding some random and/or crypted value to the RPC request that the server would eventually controlled doesn't work. This is because you can't ensure that all RPC thread will share the value changed on the server side. * How do you protect, if you protect, against javascript or more generally against client-side hacking : DOM modification, javascript modification, ... Thanks ! ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ qooxdoo-devel mailing list qooxdoo-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ qooxdoo-devel mailing list qooxdoo-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
