2

I'm implementing a temporary and very simple token-style authentication mechanism for an application.

The idea is very simple. Whenever a user logs in to the application, a token is returned to the client, which stores it in the sessionStorage data structure of the browser.

Now, whenever I do a request through AJAX I can send the token with the request and the server can verify if this token is associated with an authentication or username. If it is, it parses the request normally, if not, a error page or the initial page is returned or displayed.

I'm not sure if this is the way that token-style authentication and authorization is implemented in real or serious applications, but I've now no idea how to send the token when doing GET requests by just clicking on the link of a view.

My only idea would be to intercept the get requests so that I can fill them with the token, but this all seems to be quite odd, and I've already a lot of links and views.

nbro
  • 15,395
  • 32
  • 113
  • 196
  • Try using cookies instead of `sessionStorage`. – Sam May 28 '16 at 14:48
  • @Sam Do you know of any example or tutorial that would lead me in the right direction? – nbro May 28 '16 at 14:52
  • I've not used Spring but I googled and found http://www.kscodes.com/spring-mvc/spring-mvc-cookie-handling/ – Sam May 28 '16 at 14:56
  • @Sam Ok, in the example, the cookie is simply set. This cookie will be sent to the server on every request. But what if I want to allow the connection of the same user from multiple devices? – nbro May 29 '16 at 16:35
  • You would have to set the cookie on each device. This is normal. When you use a new device to access a website, you have to enter you username and password again, so the site can set the cookie on the new device. – Sam May 29 '16 at 16:38
  • @Sam I understood, but how do I differentiate on the server between the devices or in general different logins of the same user? – nbro May 29 '16 at 16:49
  • @Sam But that doesn't help to differentiate if a request is being done from device `A` or `B`. Another problem is the following. If I've 2 users logged in, say `X` and `Y`, and therefore say I've the following 2 cookies `X -> abc` and `Y -> efd`. These two cookies are apparently sent everytime in the request, no matter if they belong to different logins and users (maybe because I've logged in with the 2 different users from the same browser?). In a controller on the server, I would not know how to differentiate if a request comes from one logged user or from another... – nbro May 29 '16 at 17:00
  • Typically, websites don't let you log in with two different accounts in the same browser. If you wanted to implement that, you would have to display a prompt to the user asking them which of their logged-in accounts they wanted to use. When they made that selection, you could set an additional cookie to convey that information to the server. – Sam May 29 '16 at 17:05

3 Answers3

2

Search for Json Web Tokens and for implementations on java. This is exactly what you need.

If you want to send to the user some sensitive data inside the jwt, use Json Web Encryption.

You can send that token on each request header or as a request parameter

aviad
  • 1,553
  • 12
  • 15
  • Can you show me a concrete example of the usage of JWT using JS and Spring? – nbro May 29 '16 at 16:30
  • There are a couple of implementation s in java presented in the jwt.io site. One of them is jose 4j: https://bitbucket.org/b_c/jose4j/wiki/Home. – aviad May 29 '16 at 17:03
  • There you have many examples of how to do it regardless of spring. Just write your own Component class that wraps it in spring. In js, just add a special request parameter - call it jwe. Or add it to the request header – aviad May 29 '16 at 17:06
  • If you still dont get it, ill post some code. But you should really perform your own search to insure you choose the best methodology and implementation. – aviad May 29 '16 at 17:09
0

You can set a cookie, ensure to set it httponly (ans secure if you are on an https site) and read the cookie on every request that reach the server.

Hooch
  • 487
  • 3
  • 11
  • Any concrete example maybe that uses Java, Spring and Javascript? – nbro May 28 '16 at 14:53
  • You should also consider, for security, to adopt the JWT (Json Web Token) – Hooch May 28 '16 at 15:01
  • The cookie is sent on every request... and, for example, if I allow a user to connect more than once, and the key of the cookie is the username, then this won't work, because on every login the value associated with a certain username is overwritten. If the key of the cookie is a generated random token, then I can't differentiate between different logins of the same user on the server side...how would you tackle this problem? – nbro May 29 '16 at 16:32
  • In jwt you can set custom attributes in the token. No need to save a user - token map server side. – Hooch May 29 '16 at 16:36
0

You can use JWT token (see https://jwt.io/introduction/). JWT is basically a JSON data structure. Usually, the token is passed along in the authorization http header.