Tracking whether user is logged-in in a stateless web application?
Question
If I wanted to enable users to log in and out, what would be some good patterns of doing this in a stateless application?
Also, what are the top security concerns? I am thinking of doing this in Java.
Thanks, Alex
1 answers
solution1
2 ACCPTED 2011-04-04 18:56:49
If you cannot store session data in user's browser (via cookie), this is probably very hard to achieve.
I'm not sure what you mean by "stateless" but if storing session key in user's browser is not possible, you can always send this "key" in the HTML you produce. This "key" will be something you randomly generate (random enough that nobody can easily guess it). The "key" is only known by you and the user. Whenever the user requests a new page, he needs to "POST" or "GET" this key as HTTP parameter if the user wants to be identified as logged in.
Security concern for this is that if you do this over non-secure (http), the network can easily be sniffed. If you do it over SSL (https) it is probably more secure.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.