Security web login architecture?

Tag: security , website , login , web-security , server-side Author: lvya1226 Date: 2011-04-16

I've implemented an login on a site (didnt use default). When a user logged in I save his ip in the db. If he doesnt doing anything in X min his ip get deleted. Whenever a user trying to enter a page that is restricted I check if his ip is on the db. If so he can continue. The problem is that if the logged on user is on a wifi network or any other shared network, all the other users will have the same ip, and thats not good. How can I overcome this problem? Is cookies the best answer?

Best Answer

How is the user logging in? Username/Password? I'm assuming the password is stored as a salted hash in the database, so why not pass a cookie back with the user's username and hashed password? Whenever they try and access a restricted area check that username/password hash against your database. Make sure to sanatize the cookie values before checking them against your database to prevent injection. Or, depending on the language this is in, you could use session tracking.


And rely only on cookies? Or combine it with my IP method?; i used it plus sessionid

Other Answer1

I'm assuming by the tags that you're using WebLogic Server for your solution, although your comment about makes me wonder. (although no ASP tags set for the question?)

The short answer is that you're making life harder than it needs to be - if I understand your problem correctly - that you want an idle user's session to be timed out after a certain period of inactivity for security reasons - then you can do this via application configuration with the session-timeout parameter:

Wherever possible when security's involved, I always prefer to avoid rolling my own solution. Just not smart enough to trust it. :-)

Apologies if I'm off in my understanding here.


I Apologies I tried to tag weblogin, I saw that it was weblogic and changed it. Maybe I didnt save it. I didnt tag because its an idea matter and not language related..