2017  Kodetalk | Feedback | Privacy Policy | Terms | About
userimage

Making user logged in to system/application after session timeout with basic security

Overview:


We develop application for making user work easy. Usually web application do session time out for which user need to login again to the application. In case we are making session time out for a real long time, it's no use as we are blocking the memory even the user not using the system. So for that we need to find a way which help to make user logged in to system even session timed out.


In Details:


Things we can do are, we can create a cookie for the user and keep a user token. The unique token will represent the user. Every time user come to any page of the application we need to check if the token is exist or not. If the token exist and session is timed out then create a new session. Now the problem is to make the cookie secure else anyone can tamper the cookie. There is another problem, we need to make sure the cookie is accessible to all the pages. Let's see how to code this using Java and spring framework.


For login we usually write something as below:


// Making sure the session timeout we configured in server may be 2 minute.

if(validate(userid, password)) {
   // Make user logged in and show the page needed to.
}

Now once user is validated we can create a cookie as below

public void addCookie(HttpServletRequest request, HttpServletResponse response) throws Exception {
   Cookie cookie = new Cookie("cookie name", "for security we have added encrypted user token");
   cookie.setSecure(true); // To make sure the cookie will transfer via https
   cookie.setHttpOnly(true); // https://www.owasp.org/index.php/HttpOnly
   cookie.setPath("/"); // To make sure we are accessing the cookie in all pages.
   cookie.setMaxAge(864000); // In seconds. Right now added for 10 days the cookie is valid.
   response.addCookie(cookie);
}

Now the same login logic will be as below:

if(validate(userid, password)) {
   addCookie(request, response)
   // Make user logged in and show the page needed to.
}

As we set session time as 2 min in server and if user ideal for more than 2 min, the existing session is lost.


To regain the same session we need a interceptor which will intercept all the request by checking the cookie and make the session available for the user.

And it's obvious if a session is already exist for the user we should not create all again and again for all request. So to create the interceptor we can go for below logic.

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

public class RememberMeInterceptor extends HandlerInterceptorAdapter {

   @Override
   public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
         throws Exception {
      if ("Check if session exist for the user") {
         Cookie[] cookies = request.getCookies();
         if (Objects.nonNull(cookies)) {
            for (Cookie cookie : cookies) {
               if (Objects.nonNull(cookie) && !cookie.getValue().trim().equals("")) {
                  if (cookie.getName().equals("get the cookie by name")) {
                     makeTheSessionAvailableAgain(request);
                     Cookie cook = new Cookie("Same cookie name", cookie.getValue());
                     cookie.setSecure(true); // To make sure the cookie will transfer via https
                     cookie.setHttpOnly(true); // https://www.owasp.org/index.php/HttpOnly
                     cookie.setPath("/"); // To make sure we are accessing the cookie in all pages.
                     cookie.setMaxAge(864000); // In seconds. Right now added for 10 days the cookie is valid.
                     response.addCookie(cookie);
                  }
                  return true;
               }
            }
         }
      }
      return super.preHandle(request, response, handler);
   }

   private void makeTheSessionAvailableAgain(HttpServletRequest request) {
      // make the data set by creating a new session as old session is already invalidated.
   }
}

NOTE:


1) Configure the interceptor.

2) Make sure you are setting the path as root in the cookie.

3) Make sure you are adding the cookie every intercept.

4) Make sure for user log out remove the cookie by adding the same cookie with setMaxAge(0).


Add your comments for any clarification.