I am trying to create the command line interface where i need to perform authentication and session management between user(client) and authentication server using perl( using Starman from Plack in Perl ).
What should be the basic steps to perform the secured authentication and then session management after successful authentication?
I tried below steps -
1- User enters his username and password on client side
2- Client will encode the credential and send them to the authentication server
3- Authentication server will validate the user credentials from auth-database and generate the session-key(Token) salted with username and its login type
4- On successfull authentication this session-key(Token) will be sent back to the client(user) otherwise the undef will sent and client will throw
the 'invalid user error'
5- This Token will be send with every command from client side and the server(not aut-server) which has command definition will validate the token and allow command execution based on the validation
6- Now the server has user's login time and expiry time(say 2 hours), so auth server will keep checking if user has passed the expiry time , if yes, then bring user to the login prompt.
Kindly provide your feedback and suggestions on above implementation.
Sounds ok. If the client can establish a persistent, bi-directional connection to the server, it doesn't have to send the session token all the time, only when it's establishing a connection.
Also, whenever the token is used, the expiration time should be pushed backwards.
If the connection between the server and the client is unencrypted, the server should send a nonce in the beginning (after step 1) and the client also generates a nonce. The client creates a hash of (password, server nonce, client nonce) and sends the hash together with the client nonce to the server.
That way the password remains protected even if there is a passive attacker. To protect against an active attacker (MiTM) you need something more sophisticated such as Diffie-Hellman key exchange.