I am building a secure system, that must be sure, that the user sending it messages is the same that received an access key. Example.

User Bob, has a property uniqueCode, that is unique just to him, and would enable him to receive various information from the server.

There is a web service, that has various methods for returning various sensitive data. When a client the user is using first connects to the web service, it does so via authenticate method, that

1. generates a pseudo random key for this user
2. saves that key on the server and returns it to the user.

Each subsequent request from the client to the WS requires the uniqueCode and the key. If the pair is valid, the request returns the needed information. If there has been no activity for x minutes, the key is invalidated, and the client asks the user to log in again.

Now my question is, how to store the key on the server? The key would be a Java object, that could be serialized.

My options

• Keep them in a session. This is what a senior programmer at the company suggested, but that doesn’t seem to be the way to go. Everywhere I read, the suggest that WS should not rely on underlying HTTP sessions.
• Keep them in a database. A possible solution, but that would require me to create a specific database, adding a whole another level to the problem.
• Keep them in binary encrypted files. This one seems the way to go, but is it? Since I would generate a key upon login, I could save the key+some info in a binary file, encrypt it by itself, and the pass it to the user. If the key I receive back can decipher the users file, and the information is correct, return the information the user requested.

Is my thinking correct, or am I missing something? I reckon that the last one would be the safest way to go, since if someone gains access to my system, breaking into db would be easy, but deciphering a file without knowing another users key would be quite tough.

Thanks!