Cookie and security in Java (GAE)

Question

Now in my application cookies for users are generated in a certain format containing userID. I want my cookie to be generated randomly after every login so even if cookie were stolen once they would never be used forever by a hacker.

What is the best practice of handling cookies this way? How should I store/retrieve them(hashtable/datastore...)?

Thanks

Answer 1

You can try following parameters:

• user id
• time to live (milliseconds)
• hash for:
  • user password
  • user id
  • remote IP or browser
  • time to live (exact same as before)
  • and maybe an predefined string or salt

Join it into one string (like 13413:1826271762:b026324c6904b2a9cb4b88d6d61c81d1) and store it into a cookie like USERID.

On every request you need:

• check that specified time is valid (less than current)
• load user from database, by specified ID
• validate hash signature (against current remote IP/browser and current password)

Answer 2

I would recommend using the built in Java session objects HttpSession, which GAE/J has support for. Look here for the docs on how to enable sessions on GAE.

You can set the session to expire after a certain time period, or you could store a number in it and verify the session externally.

Answer 3

I agree with Rick, the container designers have done the dirty work of verifying if the request is coming from the same user and you don't want to reinvent the wheel do you?

HttpSession session = request.getSession(); 

This will create a new session, if one doesn't already exists but if it does it will get you the existing session.

session.setAttribute('key', value);

value can be any Serializable POJO and key is a string. You can retrieve the stored value within the scope of you application by following code.

Object value = (Object) session.getAttribute('key');

For more information on how to use sessions check Java spec for HttpSessions.