0

What is the best way to keep the same session when you open the same java webapp in another tab in the browser with passing parameters like username/password in most secured way.
The purpose behind is to navigate the webapp to next navigation page after doing some request to some service.
I am doing it at the client side.

This is a thought coming to my mind right now:

  1. To add the parameters in the URL (not secure)
  2. .....
GingerHead
  • 8,130
  • 15
  • 59
  • 93
  • If you still have the password to be able to pass it, you are doing it wrong (you should not keep the password in clear). I have never done this, but I suppose that you'll need to pass the session cookie somehow. – Pablo May 16 '12 at 11:37
  • Pablo is correct with his view on password security. But if you are determined to pass uname and password parameters , no doubt , data encryption is the best way to id it. – Ravi Jain May 16 '12 at 11:45

1 Answers1

0

In your server you can check if the incoming request has a valid session or not, if it has a valid session, retrieve the username or similar identifier from the session.

Depending upon the user you can show him/her the home page which they will enter if they had actually logged in the system.

If you want to show response based on the last action, then you can have the last action as part of your session and rules on your server which should fetch the correct page depending upon the last action.

For e.g. gmail will always show you the inbox if you have a valid session in one tab and you again open gmail in another tab.

If this is handled at the server level it is highly secure as you there is no need to append, send user credentials.

mprabhat
  • 20,107
  • 7
  • 46
  • 63
  • I am doing it at the client side – GingerHead May 16 '12 at 11:42
  • If you are doing it at the client side, dont do a get use post, create a dummy form attach the username and password (encrypted) and then post it to the server – mprabhat May 16 '12 at 11:50
  • not good, that's an old way, I don't want any information to show up in the url – GingerHead May 16 '12 at 13:13
  • When you use post its not going to be seen in the URL, If you use get then only it will be visible in URL, moreover since there is already a valid session your client doenst need the password at all – mprabhat May 16 '12 at 13:53