GWT 验证的用户会话
我的 Web 应用程序由两部分组成:
- 完成所有工作的 GWT 应用程序。
- 手工制作的 servlet 旨在处理 OpenID 身份验证工具。
我需要将 p.2 连接到 p.1。我正在阅读 LoginSecurityFAQ,所以我想在这里确认一下我的理解是否正确。
- 一旦 OpenID 提供商确认用户正常并向我提供其身份,我就应该注册会话。
- 要“注册”会话,我应该在数据库中的某个位置存储 OpenID 身份和会话 id 之间的映射(identity="https://www.google.com/accounts/o8/id?id=wwyruiwncuyrwieruyfakefakefake" 和会话 id是一个大的随机字符串,例如“HiuhoiuhIUHOIUY87Y*&Ttgi6yUYGIuygUHGugyg^G6g”)。
- 该会话 ID 应存储在客户端的 cookie 中。
- 每次从客户端发送任何请求时,在服务器端,我应该检查客户端的会话 ID 是否仍然足够新鲜(活动),并且我还应该使用它来解析客户端的身份,以防万一我需要它。
对吗?如果会话 ID 很大,是否足够安全?
My web application consists of 2 parts:
- GWT app that does all the work.
- Handmade servlet aimed to handle OpenID authentication facility.
I need to wire p.2 to p.1. I'm reading LoginSecurityFAQ, so I'd like to confirm whether my understanding is correct here.
- Once OpenID provider confirms that user is OK and gives me its identity, I should register the session.
- To "register" the session, I should store somewhere in my DB a mapping between OpenID identity and a session id (identity="https://www.google.com/accounts/o8/id?id=wwyruiwncuyrwieruyfakefakefake" and session id is a large random string like "HiuhoiuhIUHOIUY87Y*&Ttgi6yUYGIuygUHGugyg^G6g").
- That session id should be stored on client side in a cookie.
- Every time any request is sent from client side, on server side I should check whether client's session id is still fresh enough (alive) and I should also use it to resolve client's identity in case I need it.
Is it right? Is it secure enough in case session ID is really large?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你的想法是对的,我也或多或少这样做。
只需注意几点:
1) 如果您想保留身份,请不要忘记正确设置领域。否则,根据 OpenID 提供商的不同,同一用户下次登录时可能会得到不同的身份。我认为 Google 的 OpenID 要求您使用您的服务器名称加端口:
2)为什么要创建自己的会话管理?这是相当多的额外工作,您最终可能会写出一些不安全的东西。使用通用的 http servlet 会话。
3) 如果您使用 http 会话,则不需要管理会话超时,但如果您需要拦截所有 GWT RPC 调用,正确的位置可能是重写 RemoteServiceServlet 实现中的 service 方法。
Your thinking is right, I do it more or less like that too.
Just a few notes:
1) In case you want to persist the identity, do not forget to set the realm right. Depending on OpenID provider you may end up with a different identity for the same user on next login otherwise. I think Google's OpenID requires you to use your server name plus port:
2) Why create your own session management? It is quite a lot of extra work and you might end up writing up something insecure. Use common http servlet sessions.
3) You won't need to manage session timeouts if you use http sessions, but if you need to intercept all GWT RPC calls, the right place might be overriding service method in your RemoteServiceServlet implementation.