question on GWT, Cookies and webpage directing

Question

Hello guys,

i am using gwt to create a website. this question is regarding a login page and cookies to save login details. GWT allows you to create a website within a single webpage.

my application runs on one webpage. i have the application set up as , there is a login box with a login button, and if the details are correct it will load up the underlying UI and removes the login box.

so that means every time i refresh my page the application brings me to the login page. is there anyway to set up a cookie that hold the information of the user for example a day, that would input the details into the login box and sign in automatically,

also the logout button within the web app would remove the information in the cookie and bring you to the login page (remove the cookie information and direct you to the login part of the webpage).

or would there be a different approach.

Answer 1

Yes, I recommend you use a different approach. The approach is history management. Read both part 1 and 2 of this document by Google about the MVP pattern. Using this kind of architecture will benefit you enormously.

Answer 2

Here you can find some information about login security in GWT. There is also a section on how to use cookies to remember that a user has logged in.

Answer 3

I'd say you almost got it right :D Here's how I handle login/logout in my application:

1. The user loads the page - if he has a cookie set with a token (see next points for more info), send that token to the server to check if it's still valid. If it's valid, you are logged in, go to point 5.
2. The user inputs user/pass combination. This information is sent to the server (it'd be best to send it over an encrypted connection, but it's hard to achieve with GWT - for example, see this question).
3. The server checks if the user/password hash (see below) combination matches with what's in the database/whatever. If so, it generates a token (just some random, rather long string, like an UUID) and sends it back to the client.
4. If the user checked the "Remember me" checkbox during login, store the token in a cookie.
5. When the client receives the token, it should use it for every request made to the server that you want only authenticated users to perform. There, the server checks if the token is valid (you have to keep track of token(s)/user pairs in your DB) and if so, authorize the transaction/whatever. Here's the catch: if you rely only on the cookie, you'll be vulnerable to a XSRF attack. That's why you should pass the token also (the cookie is transferred automagically - that's why a XSRF attack is possible) as part of the request (you know, like as an additional field in JSON or a field in a POJO you send via GWT-RPC or even in the HTTP header).
6. On logout, send an information to the server that this user just logged out. The server should then delete/invalidate the token. If the user checked "Remember me", delete also the cookie.

Some additional notes

• This is very important: remember to check on the server side if the token passed through the cookie equals the one passed as part of the request.
• Don't store the passwords in your database as plain text - store hashes of the passwords. Use BCrypt for maximum security. That's why I wrote that you should compare password hashes, not the actual passwords.

Security in AJAX applications is serious business - I've seen to many web applications with easy too exploit security holes... Make sure you understand completely what and why you are doing. If you have any questions, don't hesitate to ask :)