RE: Wicket authentication: how to store user?
Dan,
JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an
url with an JSESSIONID as query parameter and send it to someone else via
email/msn/etc. When that other person clicks the url, while the first person is
logged in, he is logged in as well. Webapplications should always invalidate
the wicket session before authenticating. (use Session.get().replaceSession() )
See also: http://www.owasp.org/index.php/Session_Fixation
Hielke
-Original Message-
From: Dan Retzlaff [mailto:dretzl...@gmail.com]
Sent: maandag 5 maart 2012 3:53
To: users@wicket.apache.org
Subject: Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess another
user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId); }
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could
log with own account but operate with other accounts?
Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to
store temporanealy in session and database and associate it to a specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Yes, I agree. Thanks for clarifying. :)
On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nlwrote:
Dan,
JSESSIONIDs are not inherently secure. Users can be so dumb as to
copy/paste an url with an JSESSIONID as query parameter and send it to
someone else via email/msn/etc. When that other person clicks the url,
while the first person is logged in, he is logged in as well.
Webapplications should always invalidate the wicket session before
authenticating. (use Session.get().replaceSession() )
See also: http://www.owasp.org/index.php/Session_Fixation
Hielke
-Original Message-
From: Dan Retzlaff [mailto:dretzl...@gmail.com]
Sent: maandag 5 maart 2012 3:53
To: users@wicket.apache.org
Subject: Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess another
user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId); }
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could
log with own account but operate with other accounts?
Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe
to
store temporanealy in session and database and associate it to a specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
So, is this the recommended way to authenticate a user?
// verify user password and store user id in the session
if (user.getPasswordHash().equals(password)) {
final MyWebSession webSession = MyWebSession.get();
webSession.setUserName(user.getUserName());
webSession.replaceSession();
}
Thanks,
Alec
On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff dretzl...@gmail.com wrote:
Yes, I agree. Thanks for clarifying. :)
On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nlwrote:
Dan,
JSESSIONIDs are not inherently secure. Users can be so dumb as to
copy/paste an url with an JSESSIONID as query parameter and send it to
someone else via email/msn/etc. When that other person clicks the url,
while the first person is logged in, he is logged in as well.
Webapplications should always invalidate the wicket session before
authenticating. (use Session.get().replaceSession() )
See also: http://www.owasp.org/index.php/Session_Fixation
Hielke
-Original Message-
From: Dan Retzlaff [mailto:dretzl...@gmail.com]
Sent: maandag 5 maart 2012 3:53
To: users@wicket.apache.org
Subject: Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess another
user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId); }
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could
log with own account but operate with other accounts?
Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe
to
store temporanealy in session and database and associate it to a specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Alec: yes, that's correct by my understanding.
By the way, I don't think Hielke's description of an accidentally
copy-and-pasted URL is a session attack per se. I'm not sure there's an
easy/standard way to protect such a user from himself. :) What
Session#replaceSession() guards against is an attacker initiating a
session, then luring someone into authenticating the session while
retaining access to the (now authenticated) session.
On Mon, Mar 12, 2012 at 11:04 AM, Alec Swan alecs...@gmail.com wrote:
So, is this the recommended way to authenticate a user?
// verify user password and store user id in the session
if (user.getPasswordHash().equals(password)) {
final MyWebSession webSession = MyWebSession.get();
webSession.setUserName(user.getUserName());
webSession.replaceSession();
}
Thanks,
Alec
On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff dretzl...@gmail.com
wrote:
Yes, I agree. Thanks for clarifying. :)
On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nl
wrote:
Dan,
JSESSIONIDs are not inherently secure. Users can be so dumb as to
copy/paste an url with an JSESSIONID as query parameter and send it to
someone else via email/msn/etc. When that other person clicks the url,
while the first person is logged in, he is logged in as well.
Webapplications should always invalidate the wicket session before
authenticating. (use Session.get().replaceSession() )
See also: http://www.owasp.org/index.php/Session_Fixation
Hielke
-Original Message-
From: Dan Retzlaff [mailto:dretzl...@gmail.com]
Sent: maandag 5 maart 2012 3:53
To: users@wicket.apache.org
Subject: Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess
another
user's session ID, so the approach Martin describes is inherently
secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com
wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId); }
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am
a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher
could
log with own account but operate with other accounts?
Do I need some random code like this
hdfds6yh6yhgtruifh4hf4frh9ruehfe
to
store temporanealy in session and database and associate it to a
specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
That's not always feasible - in respect to user experience. Just think of some order process where e.g. you are asked to log in when doing a checkout (of your shopping cart). -Tom Hielke Hoeve wrote: Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
As long as your shopping cart state is in your Wicket Session (not the HTTP session) you should be okay. Session#replaceSession() invalidates the HTTP session, but immediately binds the Wicket Session object to the new HTTP session. Happy shopper, unhappy attacker. :) On Mon, Mar 12, 2012 at 12:23 PM, Thomas Götz t...@decoded.de wrote: That's not always feasible - in respect to user experience. Just think of some order process where e.g. you are asked to log in when doing a checkout (of your shopping cart). -Tom Hielke Hoeve wrote: Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
I mean that if you accept identifiers of external resources as parameters
(e.g. database primary keys), it is your responsibility to verify that the
authenticated user is authorized to access/modify that external resource.
Frameworks protect session data, but not such external resources.
On Wed, Mar 7, 2012 at 2:33 PM, Paolo irresistible...@gmail.com wrote:
Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto:
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess
another
user's session ID, so the approach Martin describes is inherently secure.
Ok, thank you and Martin.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
What do you want mean?
I used this code as base:
http://wicketstuff.org/wicket14/authentication/
And I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
I also used hash SHA (custom mode) to store password in the database.
I am newbie, and I am afraid by Internet Security.
I collect users data and I don't want that some hacker subtrack from my
web app sensible data.
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId);
}
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could
log with own account but operate with other accounts?
Do I need some random code like this
hdfds6yh6yhgtruifh4hf4frh9ruehfe to
store temporanealy in session and database and associate it to a
specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
supplied with each request. It's not possible for one user to guess another
user's session ID, so the approach Martin describes is inherently secure.
(Just be careful with your authentication code and form/query parameter
validation elsewhere in your app!)
Dan
On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote:
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId);
}
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a
newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could
log with own account but operate with other accounts?
Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to
store temporanealy in session and database and associate it to a specific
user?
I added registration and user/password sign-in and checking with
database, instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is
logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId);
}
AnyPage.java:
user = MySession.get().getUser();
On Fri, Mar 2, 2012 at 9:38 PM, Paolo irresistible...@gmail.com wrote:
I use this code as base:
http://wicketstuff.org/wicket14/authentication/
I added registration and user/password sign-in and checking with database,
instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is logged in.
How can I implement it?
Is there some Wicket implementation?
Do I need to store user in Session or with cookies or in PageParameters? Is
it secure?
Thank you.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
Hi,
Save the logged in user id in the Session.
MySession.java:
private long userId;
public User getUser() {
return userService.getUserById(userId);
}
AnyPage.java:
user = MySession.get().getUser();
Thank you, for support and explanation code, very useful because I am a newbie.
Just one another answer: Is it secure?
Can someone alter session data and change user data, so an hacher could log
with own account but operate with other accounts?
Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to
store temporanealy in session and database and associate it to a specific user?
I added registration and user/password sign-in and checking with database,
instead of simple wicket as user and password.
All works ok, but now I need in AdminPage to known which user is logged in.
-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
Wicket authentication: how to store user?
I use this code as base: http://wicketstuff.org/wicket14/authentication/ I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. How can I implement it? Is there some Wicket implementation? Do I need to store user in Session or with cookies or in PageParameters? Is it secure? Thank you. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
