I am curious about how it works when a user is trying to create an account on a website. Does the website use a session or cookie or even MVC to create the account, store it in the database?
I am not sure if session is too much to use for user account creation which includes certain validations (e.g. password needs to be of a complexity). Or would a cookie be sufficient?
I have read the following post but am still not sure on how to go about it to be efficient in my coding.
Session or cookie confusion
Differences between cookies and sessions?
Note: I am using eclipse and Tomcat 8
you can do by :
1/ creating a jsp page (view) where you put a form for user
2/ creating a java class(model) where you put a method that connect to database and insert data (example NewAccount(String username,String password,...){...})
3/ create a servlet(controller) to get data (name , password ...) from the form and pass it to the model by calling a method
Related
I have created a java program that has a login screen. It takes two inputs, discordID and key.
The discordID and key are located inside of an JSON file that is automatically updated by a Discord bot that i have. The bot is made in Python.
I want to use MySQL for handling the user login requests. So my question is...
Can i open up the server for public and handle user login requests? And if that works i want to return True or False depending if the credetials match the ones in the DataBase.
Was thinking at mongoDB for example. There you can return True or False depending if the credentials from the user equals to the ones you have in the database.
It is possible if you create another app just to accept this info over RESTful API but my concern is a different one. Have you given a thought how you would transfer the ID and Key. Are you planning on setting up SSL/HTTPS because that's what you would need to prevent man-in-the-middle attacks.
I am developing a web application that needs to prevent multiple login using the same user name and password concurrently.
If it happens on the same machine then we need to do something with the user session, but it should also prevent if they are login on different machines using the same user name and password.
What can be the best approach :-
1) should i store the user session,credentials,and IPAddress of the machine in the DB.
2) should we use the session tracking mechanism in the application itself.If so what is the best approach?
Also , We have to keep following things in mind:
1) If user close the browser without logout.
2) If session times out.
Hope it clears the question.
Besdies data base hits (which could fail if your server is broguth down without updating db) : A data base friendly way is not to hit the data base for every re login or you could get denial of service attacks that brig you dowm. Instead implement a session listener in J2EE and check if same user is logged in by looking up the user id in a cache.
If you have more than one app node then need a distributed cache with a time out same as session time out in web.xml.
Simply have a field in your database that has text that says online or offline for each user, according to whether they are logged in or not. So when someone tries to log in with that username, check the database if the field says online for that given user on submit. If the field says online, don't allow log in. Otherwise permit it.
without using a database
you can store if a user is online in a text file
$check= "onlineCheck.txt";
$fh = fopen($check, 'a') or die("can't open file");
$nowOnline= "USER678 \n";
fwrite($fh, $nowOnline);
I am Using Google App Engine for Java and I want to be able to share session data between subdomains:
www.myapp.com
user1.myapp.com
user2.myapp.com
The reason I need this is that I need to be able to detect if the user was logged in on www.myapp.com when trying to access user1.myapp.com. I want to do this to give them admin abilities on their own subdomains as well as allow them to seamlessly switch between subdomains without having to login again.
I am willing to share all cookie data between the subdomains and this is possible using Tomcat as seen here: Share session data between 2 subdomains
Is this possible with App Engine in Java?
Update 1
I got a good tip that I could share information using a cookie with the domain set to ".myapp.com". This allows me to set something like the "current_user" to "4" and have access to that on all subdomains. Then my server code can be responsible for checking cookies if the user does not have an active session.
This still doesn't allow me to get access to the original session (which seems like it might not be possible).
My concern now is security. Should I allow a user to be authenticated purely on the fact that the cookie ("current_user" == user_id)? This seems very un-secure and I certainly hope I'm missing something.
Shared cookie is most optimal way for your case. But you cannot use it to share a session on appengine. Except the case when you have a 3rd party service to store sessions, like Redis deployed to Cloud Instances.
You also need to add some authentication to your cookie. In cryptography there is a special thing called Message Authentication Code (MAC), or most usually HMAC.
Basically you need to store user id + hash of this id and a secret key (known to both servers, but not to the user). So each time you could check if user have provided valid id, like:
String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6";
String[] pair = cookie.split('_');
assert pair.length == 2
String id = pair[0];
String sign = pair[1];
assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);
Take a look also at TokenBasedRememberMeServices from Spring Security, you can use it as an example.
Now in my application cookies for users are generated in a certain format containing userID. I want my cookie to be generated randomly after every login so even if cookie were stolen once they would never be used forever by a hacker.
What is the best practice of handling cookies this way? How should I store/retrieve them(hashtable/datastore...)?
Thanks
I would recommend using the built in Java session objects HttpSession, which GAE/J has support for.
Look here for the docs on how to enable sessions on GAE.
You can set the session to expire after a certain time period, or you could store a number in it and verify the session externally.
You can try following parameters:
user id
time to live (milliseconds)
hash for:
user password
user id
remote IP or browser
time to live (exact same as before)
and maybe an predefined string or salt
Join it into one string (like 13413:1826271762:b026324c6904b2a9cb4b88d6d61c81d1) and store it into a cookie like USERID.
On every request you need:
check that specified time is valid (less than current)
load user from database, by specified ID
validate hash signature (against current remote IP/browser and current password)
I agree with Rick, the container designers have done the dirty work of verifying if the request is coming from the same user and you don't want to reinvent the wheel do you?
HttpSession session = request.getSession();
This will create a new session, if one doesn't already exists but if it does it will get you the existing session.
session.setAttribute('key', value);
value can be any Serializable POJO and key is a string.
You can retrieve the stored value within the scope of you application by following code.
Object value = (Object) session.getAttribute('key');
For more information on how to use sessions check Java spec for HttpSessions.
The website is having auto-refresh.When an user login with the same username that is logged in already somewhere,how to logout the previous login?How to give a relogin page in the first browser window?
Please provide some code snippets....
Thanks in advance....
This post is dealing with a similar problem.
Without you specifying more details, it's difficult to answer your question properly. First of all, if a user opens another tab or window within the same browser, they will be still logged in using the previous login. This is normal behaviour.
If a user logs in using a different browser, then one thing you can do:
register a HttpSessionListener
when a session is created, using void sessionCreated(HttpSessionEvent se), check if user's credentials and session id are in your database
if not, put them in a database table
if yes, then invalidate their previous session by deleting previous credentials in database
when a session is destroyed, using void sessionDestroyed(HttpSessionEvent se) delete user's credentials in database
One other thing. If you're going to use this approach, then you'll have to check with every browser request if your user's credentials are stored in a database. You can use a Servlet filter for this. This will, of course, be an overhead.
One more thing. If there's an exception in your session creation/destruction code, there's a danger of user's credentials aren't properly disposed of in database. You can handle this using database triggers to delete rows that are as old as your session timeout is.