Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Scala or not, JSON or not, XHR or not the mechanism is still the same. You send login and password to the server (salt-hash the password on the client-side to make it safer), server authenticates it (checks if login and password match the one in db), then it creates a session for the user (in DB or in memory - depending on your needs) and sends the session ID to the user as a cookie (AJAX requests/responses should work correctly with cookies). </p> <p>Now on every request you check for the session cookie and verify if it points to the valid user (i.e. if it points to anything). Logout is as simple as deleting the session entry with given ID. The ID should be created in such a way that first: it is long (to minimize threat of session hijacking) and second: it contains the date encoded (so you can clean expired sessions).</p> <p>This is so called <a href="http://en.wikipedia.org/wiki/Form-based_authentication" rel="noreferrer">Form-based Authentication</a>.</p> <p><strong>// EDIT</strong></p> <p>Let me answer the questions in comments. How does session work?</p> <p>Server creates session. Session is nothing else then table in DB with 2 columns: ID and Value (here you will hold session data encoded in JSON and compressed if necessary like for example things you want to buy from eShop). When client is successfully authenticated server send the session ID to the user via cookies. So server has to add the following header to the response:</p> <pre><code>Set-Cookie: session=ID32445235423tdwfnmm; Expires=Wed, 09 Jun 2012 10:18:14 GMT </code></pre> <p>Now the browser understands this header and sets the cookie for client. From this point whenever you make a request the browser automatically adds cookies to the request, so every request from now on will have the following header</p> <pre><code>Cookie: session=ID32445235423tdwfnmm; other_cookie:other_value; </code></pre> <p>unless the date is after <code>Wed, 09 Jun 2012 10:18:14 GMT</code>. If this is the case then our session cookie will be omitted (note that this is not the same as destroying session on the server side which you have to handle manually).</p> <p>Now you have to decode the <code>Cookie</code> header on the server side and retrieve the ID. Using some framework is a great idea at this point, because it is a bad practice to write decoding code in every request. You should use so called middleware here. Now this middleware retrieves the ID, checks the DB for session and stores the result (i.e. user is authenticated or not) in request object to be used later (i.e. in the final request handler).</p> <p>So as you can see you don't use JavaScript at all.</p> <p>Also you set the cookie <strong>only</strong> on login request (although you can set it on every request to minify session hijacking problem - but that's even more complicated). It is browser's job to store the ID. On server side you only check if the <code>Cookie</code> header contains <code>session</code> key.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload