1

I have a website that authenticates users with the active directory. This website is made for internal company use and does not hold any sensitive information. The website is secured with SSL. When a user logs in, his/her username and password will be transmitted to the server through POST. I then store his/her username in a session cookie with a TTL of 1 day, refreshed by every single web action. From this point on, every webpage will check to see if this cookie with the username exists. If it does, it will allow users to access that certain page. Login out will just remove this cookie.

Would this way of authentication be acceptable? Is there a better way to handle user authentication? Is it necessary to use sessions instead and store session id's in cookies?

David Yuan
  • 810
  • 1
  • 10
  • 15
  • 2
    Potentially answered by http://stackoverflow.com/questions/17000835/token-authentication-vs-cookies – CC. Aug 25 '15 at 22:08
  • Doesn't seem like a dup to me @CC. - The cookie in this case is just a username string. – Neil Smithline Aug 25 '15 at 22:20
  • @DavidYuan - storing unsigned user name in a cookie is effectively no security. Anyone can set the value of their cookie to any other user. No good. Before I can answer, what is the web or app server that you are using and what is the programming language? – Neil Smithline Aug 25 '15 at 22:23
  • The link above describes a better / safer solution. As the OP described it, there's an issue: anybody can impersonate anybody else just by manually setting a cookie with a username, or just changing own username to somebody else's. Might not have sensitive information today, but tomorrow likely turns out to be an issue. – CC. Aug 25 '15 at 22:24
  • @NeilSmithline Ya that was one of the issues I was considering...I am using python. However, even if I store session ID's in cookies, can't people just imitate that as well? – David Yuan Aug 25 '15 at 22:26
  • 2
    Your appserver likely supports secure sessions already. Why aren't you using that? – Neil Smithline Aug 25 '15 at 22:27
  • @NeilSmithline I am on a time crunch and I have a demo to show by tomorrow. Implementing this user authentication system with cookies was very simple and quick to implement. This is my first time doing user authentication and I was mainly just wondering about what the typical protocol is nowadays to use when it comes to user authentication. Regardless, I was planning on switching over to using session in the future – David Yuan Aug 25 '15 at 22:36
  • 1
    Your app server likely provides a mechanism that is more secure and simpler than what you've done. That said, if you're going for a demo tomorrow, go with what you have and fix it later. When you're ready, google the name of your app server and the word 'authentication'. For example, [django authentication](https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&es_th=1&ie=UTF-8&client=ubuntu#q=django%20authentication). – Neil Smithline Aug 25 '15 at 22:42

1 Answers1

1

It does work out nicely to use Sessions, yes. I don't know what language you'd be using, but storing information in general locally is a good idea (this does not include sensitive and private information, ie. passwords).

Pages usually check your authentication (and its type) upon loading.

I've lost my touch with PHP, but for instance ASP.NET has a pretty neat (but complicated) Identity system where your login information would be stored in a separate Session, and destroyed upon logging off, but also stores information regarding its Type. This would later allow the developer to mark pages that would require a specific type of an Identity. For example:

[Authorize(Roles="admin")]
public ActionResult Index() {
    // Your action information
}

Again, I'm rusty with PHP, but I imagine it's similar where you'd simply check the Sessions before the <html> tag, ie.

<?php
    if(is_null($_SESSION["user-info"]["type"])
         header("Location: index.php");
?>
<html>
    ...

Overall, the way you use sessions in each of the back-end web development languages could defer, but the overall usability is the same. You'd use Sessions to store User information, Store "basket" items, etc.

Toza
  • 1,348
  • 2
  • 14
  • 35
  • 1
    Thanks for your input. I am actually using python and I was mainly just wondering what the typical protocol is to follow for doing user authentication: storing session ID's with cookies and using that to access session information or another method..Regardless, I think I will be switching over to using sessions to store user information instead of cookies – David Yuan Aug 25 '15 at 22:42
  • @David Do that. Cookies are mostly used to store 'long term' information that you'd want the browser to keep even when the user turns off the browser (like layout or usability configurations). I don't like doing this, but if you feel that your question has been answered, could you please mark an answer as questioned? (select an answer that satisfies your question) :) – Toza Aug 26 '15 at 05:47