I agree with Ilkka, the only way to fully support a completely stateless
server is to send the login credentials with every request.
I would discourage the use of cookies though, they introduce problems. I
guess you are using a full blown qooxdoo application (as aposed to
something inline across several pages). If so you can store the username
and password in a variable and then send then as a seperate HTTP header.
An easy way to do this would be to patch XmlHttp.send:
send : function()
{
this.setRequestHeaders(
{
"X-FOO-USER" : someNameSpace.user,
"X-FOO-PASS" : someNameSpace.pass
});
this.base(arguments);
}
And then to guard against sniffers ensure you use SSL.
As for guarding against local manipulations of the DOM and JavaScript,
this is imposible.
HTH
Matt
Ilkka Oksanen wrote:
> Hi,
>
> Others can correct me but if you want the server side to be completely
> stateless then you can drop login step and have to instead include user
> name and password as part of every "normal" request. To remember the
> user between the sessions you can save and read a cookie that contains
> user credentials. Cookie would be managed completely from Qooxdoo
> application.
>
> In general copy/paste attack is possible, valid cookie is the sole key
> that is usually needed to login to common web services. If the user
> doesn't trust to the used computer he should not allow storing that kind
> of cookie (i.e. check remember me option)
>
> -ilkka
>
> On Thu, Nov 12, 2009 at 8:03 PM, Jean-Baptiste BRIAUD -- Novlog
> <j-b.bri...@novlog.com <mailto:j-b.bri...@novlog.com>> wrote:
>
> Hi the list,
>
> How do you manage authentication of user on stateless servers
> environment ?
>
> I have Java backend but don't want to use HTTP session on server
> side : I want to maintain servers stateless.
> (this is because it scale better, but the reason doesn't matter here).
>
> 1. Login
> So, I have a form to ask for login/pass to end-user, then it hash
> the pass and send login/hashedpass to the server.
> On server side, we can check that this end-user is authorized.
>
> 2. Using the server
> Now I send a request to do some business, how do you ensure that RPC
> request correspond to an authenticated end-user ?
>
> Questions :
>
> * Do you use a cookie ? If yes, what do you put in that cookie ?
> How do you check authentication on server side ?
>
> * Are you also doing something on client side with that cookie ?
>
> * Could that be as simple as copy/paste the cookie to another
> machine to bypass security ?
> How do you protect against that copy/past attack ?
>
> * Don't forget that due to good qooxdoo RPC design, requests are
> individually asynchronous and sent in parallel, and we are using
> that heavily.
> I add that because apparently, adding some random and/or crypted
> value to the RPC request that the server would eventually controlled
> doesn't work.
> This is because you can't ensure that all RPC thread will share the
> value changed on the server side.
>
> * How do you protect, if you protect, against javascript or more
> generally against client-side hacking : DOM modification, javascript
> modification, ...
>
> Thanks !
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> qooxdoo-devel mailing list
> qooxdoo-devel@lists.sourceforge.net
> <mailto:qooxdoo-devel@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
>
>
>
>
> --
> +358 50 486 0721
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> qooxdoo-devel mailing list
> qooxdoo-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
qooxdoo-devel mailing list
qooxdoo-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
