RE: Wicket authentication: how to store user?
Dan, JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an url with an JSESSIONID as query parameter and send it to someone else via email/msn/etc. When that other person clicks the url, while the first person is logged in, he is logged in as well. Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) See also: http://www.owasp.org/index.php/Session_Fixation Hielke -Original Message- From: Dan Retzlaff [mailto:dretzl...@gmail.com] Sent: maandag 5 maart 2012 3:53 To: users@wicket.apache.org Subject: Re: Wicket authentication: how to store user? Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Yes, I agree. Thanks for clarifying. :) On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nlwrote: Dan, JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an url with an JSESSIONID as query parameter and send it to someone else via email/msn/etc. When that other person clicks the url, while the first person is logged in, he is logged in as well. Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) See also: http://www.owasp.org/index.php/Session_Fixation Hielke -Original Message- From: Dan Retzlaff [mailto:dretzl...@gmail.com] Sent: maandag 5 maart 2012 3:53 To: users@wicket.apache.org Subject: Re: Wicket authentication: how to store user? Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
So, is this the recommended way to authenticate a user? // verify user password and store user id in the session if (user.getPasswordHash().equals(password)) { final MyWebSession webSession = MyWebSession.get(); webSession.setUserName(user.getUserName()); webSession.replaceSession(); } Thanks, Alec On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff dretzl...@gmail.com wrote: Yes, I agree. Thanks for clarifying. :) On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nlwrote: Dan, JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an url with an JSESSIONID as query parameter and send it to someone else via email/msn/etc. When that other person clicks the url, while the first person is logged in, he is logged in as well. Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) See also: http://www.owasp.org/index.php/Session_Fixation Hielke -Original Message- From: Dan Retzlaff [mailto:dretzl...@gmail.com] Sent: maandag 5 maart 2012 3:53 To: users@wicket.apache.org Subject: Re: Wicket authentication: how to store user? Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Alec: yes, that's correct by my understanding. By the way, I don't think Hielke's description of an accidentally copy-and-pasted URL is a session attack per se. I'm not sure there's an easy/standard way to protect such a user from himself. :) What Session#replaceSession() guards against is an attacker initiating a session, then luring someone into authenticating the session while retaining access to the (now authenticated) session. On Mon, Mar 12, 2012 at 11:04 AM, Alec Swan alecs...@gmail.com wrote: So, is this the recommended way to authenticate a user? // verify user password and store user id in the session if (user.getPasswordHash().equals(password)) { final MyWebSession webSession = MyWebSession.get(); webSession.setUserName(user.getUserName()); webSession.replaceSession(); } Thanks, Alec On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff dretzl...@gmail.com wrote: Yes, I agree. Thanks for clarifying. :) On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve hielke.ho...@topicus.nl wrote: Dan, JSESSIONIDs are not inherently secure. Users can be so dumb as to copy/paste an url with an JSESSIONID as query parameter and send it to someone else via email/msn/etc. When that other person clicks the url, while the first person is logged in, he is logged in as well. Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) See also: http://www.owasp.org/index.php/Session_Fixation Hielke -Original Message- From: Dan Retzlaff [mailto:dretzl...@gmail.com] Sent: maandag 5 maart 2012 3:53 To: users@wicket.apache.org Subject: Re: Wicket authentication: how to store user? Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
That's not always feasible - in respect to user experience. Just think of some order process where e.g. you are asked to log in when doing a checkout (of your shopping cart). -Tom Hielke Hoeve wrote: Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
As long as your shopping cart state is in your Wicket Session (not the HTTP session) you should be okay. Session#replaceSession() invalidates the HTTP session, but immediately binds the Wicket Session object to the new HTTP session. Happy shopper, unhappy attacker. :) On Mon, Mar 12, 2012 at 12:23 PM, Thomas Götz t...@decoded.de wrote: That's not always feasible - in respect to user experience. Just think of some order process where e.g. you are asked to log in when doing a checkout (of your shopping cart). -Tom Hielke Hoeve wrote: Webapplications should always invalidate the wicket session before authenticating. (use Session.get().replaceSession() ) - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
I mean that if you accept identifiers of external resources as parameters (e.g. database primary keys), it is your responsibility to verify that the authenticated user is authorized to access/modify that external resource. Frameworks protect session data, but not such external resources. On Wed, Mar 7, 2012 at 2:33 PM, Paolo irresistible...@gmail.com wrote: Alle lunedì 05 marzo 2012, Dan Retzlaff ha scritto: Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. Ok, thank you and Martin. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) What do you want mean? I used this code as base: http://wicketstuff.org/wicket14/authentication/ And I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. I also used hash SHA (custom mode) to store password in the database. I am newbie, and I am afraid by Internet Security. I collect users data and I don't want that some hacker subtrack from my web app sensible data. Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Paolo, sessions are accessed with a JSESSIONID cookie or query parameter supplied with each request. It's not possible for one user to guess another user's session ID, so the approach Martin describes is inherently secure. (Just be careful with your authentication code and form/query parameter validation elsewhere in your app!) Dan On Sat, Mar 3, 2012 at 4:40 AM, Paolo irresistible...@gmail.com wrote: Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); On Fri, Mar 2, 2012 at 9:38 PM, Paolo irresistible...@gmail.com wrote: I use this code as base: http://wicketstuff.org/wicket14/authentication/ I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. How can I implement it? Is there some Wicket implementation? Do I need to store user in Session or with cookies or in PageParameters? Is it secure? Thank you. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org -- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Wicket authentication: how to store user?
Alle sabato 03 marzo 2012, Martin Grigorov ha scritto: Hi, Save the logged in user id in the Session. MySession.java: private long userId; public User getUser() { return userService.getUserById(userId); } AnyPage.java: user = MySession.get().getUser(); Thank you, for support and explanation code, very useful because I am a newbie. Just one another answer: Is it secure? Can someone alter session data and change user data, so an hacher could log with own account but operate with other accounts? Do I need some random code like this hdfds6yh6yhgtruifh4hf4frh9ruehfe to store temporanealy in session and database and associate it to a specific user? I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Wicket authentication: how to store user?
I use this code as base: http://wicketstuff.org/wicket14/authentication/ I added registration and user/password sign-in and checking with database, instead of simple wicket as user and password. All works ok, but now I need in AdminPage to known which user is logged in. How can I implement it? Is there some Wicket implementation? Do I need to store user in Session or with cookies or in PageParameters? Is it secure? Thank you. - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org