views:

139

answers:

1

Hi,

I'm implementing a web app, which uses sessions. I'm using GWT and app engine as my client/server, but I don't think they're doing anything really different than I would do with PHP and apache etc.

When a user logs into my web app, I am using HttpSession to start a session for them. I get the session id like this:

// From my login servlet:
getThreadLocalRequest().getSession(false).getId();

I return the sessionId back to the client, and they store it in a cookie. The tutorial I'm using sets this cookie to 'expire' in two weeks:

Cookie.write("sid", theSessionId, 1000 * 60 * 60 * 24 * 14); // two weeks

Here's where I'm confused: if the cookie expires in two weeks, then my user will go along using the webapp happily, only to one day browse to my site and be shown a login screen. What are my options? Can I just set no expiration time for this cookie? That way the user would have to explicitly log out, otherwise they could just use the app forever without having to log back in?

Or is there a better way to do this? I can't remember sites like Twitter having ever asked me to log back in again. I seem to be permanently logged in. Do they just set no expiration?

The webapp isn't protecting any sort of highly sensitive data, so I don't mind leaving a cookie that doesn't expire, but it seems like there must be a better way?

This is the tutorial I'm referencing:

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

Thanks

+1  A: 

The HttpSession is behind the scenes already backed by a cookie. Check the browser cookie list for the one with the name jsessionid. Further, when obtaining an instance, you should call getSession() without the false, else you may risk a NullPointerException when it isn't created yet and thus will return null.

When you do a login, you usually put the logged in User in the session.

User user = userDAO.find(username, password);
if (user != null) {
    session.setAttribute("user", user);
} else {
    // Handle error "Unknown username/password combo."
}

You can let your webapplication intercept on the logged in User by just checking its presence in the session. For example in a Filter which you'd like to use to block secured pages.

if (session.getAttribute("user") == null) {
    response.sendRedirect("login"); 
} else {
    chain.doFilter(request, response);
}

The HttpSession has in most webcontainers a default timeout of 30 minutes. In other words, it will expire 30 minutes after the last request. This is configureable in web.xml as follows:

<session-config>
    <session-timeout>10</session-timeout>
</session-config>

Where the timeout is in minutes (thus 10 minutes in the above example).

If you'd like to provide a (automatic) "Remember me on this computer" option, then you have to create another cookie with another identifier. I've posted previously an answer which goes in detail about that: Java - How do I keep a user logged into my site for months?

BalusC
Ok so I don't actually need to do anything client-side to support this then? I tested on app-engine and works, but the session is not retained after I close the browser, even if I put an explicit session-timeout duration in web.xml.I guess that doesn't matter though because the second part 'keep a user logged into my site for months' should cover it?Thanks
That's correct. When you shutdown the webbrowser, then all cookies without an age will be garbaged. You need to provide your own cookie whenever you'd like to keep it a bit longer persistent.
BalusC
Ok that makes sense - but then I'm confused as to how you can do an immediate automagic login as in your other question answer? When the user restarts their browser, jsessionid is purged. So on next restart, the browser will go to www.mysite.com and *not* see it has jsessionid. Therefore the server will serve the page as if the user is *not* authenticated. It will require the client to do a trip back to the server now to tell it that the user is in fact authenticated. Isn't there a way for the browser to send my own cookie on first presentation? Will elaborate in original Q edit, thanks!
Actually I will ask in separate Q cause you answered my original question, thank you!
Ok posted follow-up here, I think I have it all but would be great if you could spot-check it, scary stuff!: http://stackoverflow.com/questions/2704961/is-this-a-legitimate-implementation-of-a-remember-me-function-for-my-web-app