Hi
I searched around for an answer to this, but did not really find a direct answer to what I was looking for, so apologies if this is basic, or I missed something I should have found.
I'm looking for a concise description of best practices the relate to the users of a web application, how to maintain their login state, and store their passwords/usernames, etc. The upcoming iteration of this application will be very basic, only used internally and have a handful of users, so security requirements are looser now than they will be in the future. When this app is rolled out more broadly, I'll likely use apache shiro and/or Spring for all security and user management, but right now I just want to get something simple, I also want to code it myself, just so I am more aware of the issues to deal with allowing me to take full advantage of the libs mentioned above.
Current plan is to do something like the following (in case of existing user):
user logs on with user/pw, system checks if user exists then checks if user/pw is correct (will hash/salt user and pw) if ok, sends back boolean that user is ok and is now logged onwill create some form of temp id and store in session obj, will send and retrieve as cookie with http requests, cookie will expire at some pointUser obj / DB table will have name, basic profile info, and logon status. Most functions of app will require a user to be logged on, or redirect back to logon page
is that about right? Anything else I should be considering, or any good documentation you can recommend?
thanks!