I’m in a situation where I need to create my own authentication for a web application, and I want to get some input into how secure my approach is.
Pretty much, this is the logic I will follow:
Registration:
- User sends over their user name and password over HTTPS.
- Password will be encrypted using SHA1 and stored in the database.
Login:
- User provides user name and password over HTTPS.
-
Password is converted to SHA1 and compared against the password in the database
IF the passwords match
the users id will be stored in their session under the user_id key.ELSE
the user will be directed back to the login page
Logic that is performed before pages that require authentication:
-
The user’s session will be checked to see if their ID is stored
IF the user’s id is found in their session
user is permitted to view the pageELSE
user is given a 404 response.
So how secure is this? Am I missing anything I should be doing?
Thanks for your input.
UPDATE:
Some people wanted to what environment I’m using – I’m working in a java servlet environment. To my understanding java stores sessions on the server, and just stores the sessionid in a cookie. Which makes me wonder if java’s HttpSession has measures to ensure that someone’s session key can’t be stolen?
This part seems to be ok except what Matthew already said. Some things you should also think about: