Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I keep a user logged into my site for months?

I'm using OpenID. How do I make it so that the user stays logged in for a long time even after closing the browser window?

How do I store and get access to the user's User object?

Basically, I guess I just don't really understand how sessions work in Java.

like image 796
Kyle Avatar asked Feb 02 '10 16:02

Kyle


People also ask

How do websites keep users logged in?

Any website with a log-in uses a cookie to keep you logged in on every page of the site. When you log out of that site, it clears the cookie and doesn't set it again until you login again.

How long should a user stay logged in?

It considers that longer idle time outs (15-30 minutes) are acceptable for low-risk applications. On the other hand, NIST recommends that application builders make their users re-authenticate every 12 hours and terminate sessions after 30 minutes of inactivity.

How do I keep login sessions?

The best approach among those is saving the User information in the user browser as cookies. Basically, we have to store both the Username and the Password in the user's browser as cookies. Then every time the page loads the session variable will be set.

How does stay logged work?

When you visit most websites, it's common to see a box labeled Keep me logged in, Remember me, or similar next to the username and password fields. If you check this box before you sign in, you won't have to sign back into the website next time you return, even if you close your browser and come back later.


2 Answers

So you actually want like a "Remember me on this computer" option? This is actually unrelated to OpenID part. Here's a language-agnostic way how you can do it:

  • First create a DB table with at least cookie_id and user_id columns. If necessary also add a cookie_ttl and ip_lock. The column names speaks for itself I guess.

  • On first-time login (if necessary only with the "Remember me" option checked), generate a long, unique, hard-to-guess key (which is in no way related to the user) which represents the cookie_id and store this in the DB along with the user_id. Store the cookie_id as cookie value of a cookie with known cookie name, e.g. remember. Give the cookie a long lifetime, e.g. one year.

  • On every request, check if the user is logged in. If not, then check the cookie value cookie_id associated with the cookie name remember. If it is there and it is valid according the DB, then automagically login the user associated with the user_id and postpone the cookie age again and if any, also the cookie_ttl in DB.

In Java/JSP/Servlet terms, make use of HttpServletResponse#addCookie() to add a cookie and HttpServletRequest#getCookies() to get cookies. You can do all the first-time checking in a Filter which listens on the desired recources, e.g. /* or maybe a bit more restricted.

With regard to sessions, you don't need it here. It has a shorter lifetime than you need. Only use it to put the logged-in user or the "found" user when it has a valid remember cookie. This way the Filter can just check its presence in the session and then don't need to check the cookies everytime.

It's after all fairly straight forward. Good luck.

See also:

  • How to implement "Stay Logged In" when user login in to the web application
  • How do servlets work? Instantiation, sessions, shared variables and multithreading
like image 109
BalusC Avatar answered Oct 14 '22 18:10

BalusC


Well, the original reason I chose OpenID was so someone else could handle as much of the implementation and security of authentication for me.

After looking into OpenID more, it appears there is something called an "Immediate Request" (http://openid.net/specs/openid-authentication-2_0.html#anchor28).

When requesting authentication, the Relying Party MAY request that the OP not interact with the end user. In this case the OP MUST respond immediately with either an assertion that authentication is successful, or a response indicating that the request cannot be completed without further user interaction.

Because of this I think I could just store the user's openID url in the cookie, and use an immediate request to see if the user is authenticated or not. This way I don't have to do anything with my database, or implement any logic for preventing session hijacking of the long-lived cookie.

This method of doing it seems to be the way OpenID suggests to do it with their Relying Party Best Practices document.

like image 25
Kyle Avatar answered Oct 14 '22 19:10

Kyle