Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>This recent 2009 <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html" rel="nofollow noreferrer">chapter</a> in Spring Security 3.0 discusses Remember-Me type authentication. The general concepts are not specific to Spring Security so you should be able to benefit from it even if you are not using it. The chapter also cites a Barry Jaspan's 2006 <a href="http://jaspan.com/improved_persistent_login_cookie_best_practice" rel="nofollow noreferrer">blog</a> posting which is an improvement over the techniques described in Charles Miller's 2004 <a href="http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/" rel="nofollow noreferrer">blog</a> posting.</p> <p>The blog entry basically comes down to:</p> <ol> <li><p>When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.</p> <ul> <li><p>The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.</p></li> <li><p>When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.</p></li> <li>If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.</li> <li>If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.</li> <li>If the username and series are not present, the login cookie is ignored.</li> </ul></li> </ol>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload