My web application consists of 2 parts:
- GWT app that does all the work.
- Handmade servlet aimed to handle OpenID authentication facility.
I need to wire p.2 to p.1. I’m reading LoginSecurityFAQ, so I’d like to confirm whether my understanding is correct here.
- Once OpenID provider confirms that user is OK and gives me its identity, I should register the session.
- To “register” the session, I should store somewhere in my DB a mapping between OpenID identity and a session id (identity=”https://www.google.com/accounts/o8/id?id=wwyruiwncuyrwieruyfakefakefake” and session id is a large random string like “HiuhoiuhIUHOIUY87Y*&Ttgi6yUYGIuygUHGugyg^G6g”).
- That session id should be stored on client side in a cookie.
- Every time any request is sent from client side, on server side I should check whether client’s session id is still fresh enough (alive) and I should also use it to resolve client’s identity in case I need it.
Is it right? Is it secure enough in case session ID is really large?
Your thinking is right, I do it more or less like that too.
Just a few notes:
1) In case you want to persist the identity, do not forget to set the realm right. Depending on OpenID provider you may end up with a different identity for the same user on next login otherwise. I think Google’s OpenID requires you to use your server name plus port:
2) Why create your own session management? It is quite a lot of extra work and you might end up writing up something insecure. Use common http servlet sessions.
3) You won’t need to manage session timeouts if you use http sessions, but if you need to intercept all GWT RPC calls, the right place might be overriding service method in your RemoteServiceServlet implementation.