aspose file tools*
The moose likes Servlets and the fly likes remember me token Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "remember me token" Watch "remember me token" New topic
Author

remember me token

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 208
I know when including remember me token in request header, it will contain expiry date. does this mean the token generated must be able to be reversed back to it's original string?
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42634
    
  65
There are two approaches you could take. Either set a hashed (and thus not reversible) token as cookie, and then store the data about the user (principally his user ID and expiration date) in the DB along with this token.

Or combine the date and the user ID in a cryptographically secure token and set that as a cookie. Then you can decrypt it on the server, and check whether it's still within the desired timeframe. This is not quite as secure, as it would be possible to set a manufactured token if the attacker guesses how one is constructed (including the encryption key). So it would be a form of security by obscurity, which is generally frowned upon.


Ping & DNS - my free Android networking tools app
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 208
but if it's one way hash, then how do we know if the token is still within accepted timeframe?
and which way is to go? databse or token based? DB has a downside where we need to purge expired session (extra overhead).
thanks
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42634
    
  65
You'd know that because you'd store the hash in the DB along with the userID and expiration date - so you can look it up when the user accesses the site.

Running a nightly cron job that removes expired sessions is no big deal; that's a pretty standard procedure.
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 208
so, database backed remember me is the recommended best practice in real world application (business web application)?
thanks
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: remember me token