So, is this the recommended way to authenticate a user?
// verify user password and store user id in the session
if (user.getPasswordHash().equals(password)) {
final MyWebSession webSession = MyWebSession.get();
webSession.setUserName(user.getUserName());
webSession.replaceSession();
}
Thanks,
Alec
On Mon, Mar 12, 2012 at 10:48 AM, Dan Retzlaff <[email protected]> wrote:
> Yes, I agree. Thanks for clarifying. :)
>
> On Mon, Mar 12, 2012 at 7:40 AM, Hielke Hoeve <[email protected]>wrote:
>
>> Dan,
>>
>> JSESSIONIDs are not inherently secure. Users can be so dumb as to
>> copy/paste an url with an JSESSIONID as query parameter and send it to
>> someone else via email/msn/etc. When that other person clicks the url,
>> while the first person is logged in, he is logged in as well.
>> Webapplications should always invalidate the wicket session before
>> authenticating. (use Session.get().replaceSession() )
>>
>> See also: http://www.owasp.org/index.php/Session_Fixation
>>
>> Hielke
>>
>> -----Original Message-----
>> From: Dan Retzlaff [mailto:[email protected]]
>> Sent: maandag 5 maart 2012 3:53
>> To: [email protected]
>> Subject: Re: Wicket authentication: how to store user?
>>
>> Paolo, sessions are accessed with a JSESSIONID cookie or query parameter
>> supplied with each request. It's not possible for one user to guess another
>> user's session ID, so the approach Martin describes is inherently secure.
>> (Just be careful with your authentication code and form/query parameter
>> validation elsewhere in your app!)
>>
>> Dan
>>
>> On Sat, Mar 3, 2012 at 4:40 AM, Paolo <[email protected]> wrote:
>>
>> > Alle sabato 03 marzo 2012, Martin Grigorov ha scritto:
>> > > Hi,
>> > >
>> > > Save the logged in user id in the Session.
>> > >
>> > > MySession.java:
>> > >
>> > > private long userId;
>> > >
>> > > public User getUser() {
>> > > return userService.getUserById(userId); }
>> > >
>> > >
>> > > AnyPage.java:
>> > > user = MySession.get().getUser();
>> > >
>> > Thank you, for support and explanation code, very useful because I am a
>> > newbie.
>> > Just one another answer: Is it secure?
>> > Can someone alter session data and change user data, so an hacher could
>> > log with own account but operate with other accounts?
>> > Do I need some random code like this "hdfds6yh6yhgtruifh4hf4frh9ruehfe"
>> to
>> > store temporanealy in session and database and associate it to a specific
>> > user?
>> >
>> > > > I added registration and user/password sign-in and checking with
>> > database, instead of simple "wicket" as user and password.
>> > > > All works ok, but now I need in AdminPage to known which user is
>> > logged in.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [email protected]
>> > For additional commands, e-mail: [email protected]
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
