0

I have a little bit of a problem understanding cookies,session and authentication in a java web app.

Basically I have an authentication class, to an object of which my servlet gives the request object, and it is responsible to return true or false depending on whether the user has logged in or not.

So, every time a user logs in, I will create a big random string, and i will give it as a value to the response.cookie and also to the session object as an attribute, is that right? An when that user makes an other request, i will compare the cookie he just sent me to the cookie of his session to see if it is the same, and then he will be authenticated, right?

Maybe I say wrong things here, that's why I want someone to explain me if the authentication of a user is the above process or where i am mistaken.

thank you

4

2 回答 2

0

要么有一个安全框架(如 JAAS)来处理它,要么将数据存储在会话中。将其存储在 cookie 中非常不安全,并且容易受到各种攻击。看到这个类似的问题

Cookies 存储在客户端,会话在服务器中进行管理,因此更加安全。使用 JAAS 或其他框架将为您提供更复杂的身份验证/授权选项。

于 2013-02-06T02:37:40.120 回答
0

一种简单的方法是在用户通过身份验证时在会话(或用户对象本身)中设置一个标志。您不必对 cookie 做任何事情 - 让容器管理使用 cookie 维护您的会话。你只关心会话本身。

为了提高效率,您对代码进行了优化,以便在用户登录之前不创建会话。但是您可能无法存储尚未登录的用户的其他信息(例如购物车内容) . 小小的内存节省不值得额外的麻烦。

我建议使用一个框架——JAAS 太抽象/复杂了。使用像Shiro这样的东西

于 2013-02-06T02:18:14.173 回答