This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes remember me token Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "remember me token" Watch "remember me token" New topic
Author

remember me token

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
I know when including remember me token in request header, it will contain expiry date. does this mean the token generated must be able to be reversed back to it's original string?
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41062
    
  43
There are two approaches you could take. Either set a hashed (and thus not reversible) token as cookie, and then store the data about the user (principally his user ID and expiration date) in the DB along with this token.

Or combine the date and the user ID in a cryptographically secure token and set that as a cookie. Then you can decrypt it on the server, and check whether it's still within the desired timeframe. This is not quite as secure, as it would be possible to set a manufactured token if the attacker guesses how one is constructed (including the encryption key). So it would be a form of security by obscurity, which is generally frowned upon.


Ping & DNS - my free Android networking tools app
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
but if it's one way hash, then how do we know if the token is still within accepted timeframe?
and which way is to go? databse or token based? DB has a downside where we need to purge expired session (extra overhead).
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41062
    
  43
You'd know that because you'd store the hash in the DB along with the userID and expiration date - so you can look it up when the user accesses the site.

Running a nightly cron job that removes expired sessions is no big deal; that's a pretty standard procedure.
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
so, database backed remember me is the recommended best practice in real world application (business web application)?
thanks
 
jQuery in Action, 2nd edition
 
subject: remember me token
 
Similar Threads
Session in a website with html pages and servlets
Split using regex doubt
Importing values from html
StringTokenizer
Parse * delimited string