This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Servlets and the fly likes remember me token Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "remember me token" Watch "remember me token" New topic
Author

remember me token

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
I know when including remember me token in request header, it will contain expiry date. does this mean the token generated must be able to be reversed back to it's original string?
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
There are two approaches you could take. Either set a hashed (and thus not reversible) token as cookie, and then store the data about the user (principally his user ID and expiration date) in the DB along with this token.

Or combine the date and the user ID in a cryptographically secure token and set that as a cookie. Then you can decrypt it on the server, and check whether it's still within the desired timeframe. This is not quite as secure, as it would be possible to set a manufactured token if the attacker guesses how one is constructed (including the encryption key). So it would be a form of security by obscurity, which is generally frowned upon.


Ping & DNS - my free Android networking tools app
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
but if it's one way hash, then how do we know if the token is still within accepted timeframe?
and which way is to go? databse or token based? DB has a downside where we need to purge expired session (extra overhead).
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
You'd know that because you'd store the hash in the DB along with the userID and expiration date - so you can look it up when the user accesses the site.

Running a nightly cron job that removes expired sessions is no big deal; that's a pretty standard procedure.
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
so, database backed remember me is the recommended best practice in real world application (business web application)?
thanks
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: remember me token
 
Similar Threads
StringTokenizer
Session in a website with html pages and servlets
Split using regex doubt
Importing values from html
Parse * delimited string