client/server application's authentication policy
Question
I am writing a simple protocol for a basic chat program. my question is: once the client has authenticated by providing username and password, should I also ask the client to provide a token in it's following packets? or is it sufficient to keep it's authentication status in a table at server and never expect the client to prove it till it disconnects and reconnects?
1 answers
solution1
0 ACCPTED 2011-08-13 20:17:17
You should not demand for authentication for any further messages after client has given correct credentials. If your suspect, each and every message should contain authentication information, and in this implementation you need not to authenticate via "login" - just demand security information on each message.
After successful login, the only case you may demand user credentials is when updating the client's information (by client itself), which includes changing password and other "user" information. You must ask for password when "change password" request is initiated.
Ensure that authentication is having some encryption attached, so that no one can intercept the message. You may also have some key (like few bytes string), that you can validate for each incoming message to ensure the message is coming from correct client (this as per your original design, not for the alternate design I given in first paragraph).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.