Search code examples
javagoogle-app-enginecookiessession-cookieshttpcookie

Cookie and security in Java (GAE)

Now in my application cookies for users are generated in a certain format containing userID. I want my cookie to be generated randomly after every login so even if cookie were stolen once they would never be used forever by a hacker.

What is the best practice of handling cookies this way? How should I store/retrieve them(hashtable/datastore...)?

Thanks

Solution

  • You can try following parameters:

    • user id
    • time to live (milliseconds)
    • hash for:
      • user password
      • user id
      • remote IP or browser
      • time to live (exact same as before)
      • and maybe an predefined string or salt

    Join it into one string (like 13413:1826271762:b026324c6904b2a9cb4b88d6d61c81d1) and store it into a cookie like USERID.

    On every request you need:

    • check that specified time is valid (less than current)
    • load user from database, by specified ID
    • validate hash signature (against current remote IP/browser and current password)