Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > tracking logins

Reply
Thread Tools

tracking logins

 
 
Roedy Green
Guest
Posts: n/a
 
      01-28-2009
What schemes have you seen/conceived of for a server to keep track of
which login session a client is?

1. have the client send in a cookie containing the session id with
each request.

2. keep a TCP/IP stream open.

3. allow only one session per IP, and track IP.


--
Roedy Green Canadian Mind Products
http://mindprod.com

"Here is a point of no return after which warming becomes unstoppable
and we are probably going to sail right through it.
It is the point at which anthropogenic (human-caused) warming triggers
huge releases of carbon dioxide from warming oceans, or similar releases
of both carbon dioxide and methane from melting permafrost, or both.
Most climate scientists think that point lies not far beyond 2°C (4°F) C hotter."
~ Gwynne Dyer
 
Reply With Quote
 
 
 
 
Arne Vajhøj
Guest
Posts: n/a
 
      01-28-2009
Roedy Green wrote:
> What schemes have you seen/conceived of for a server to keep track of
> which login session a client is?
>
> 1. have the client send in a cookie containing the session id with
> each request.
>
> 2. keep a TCP/IP stream open.
>
> 3. allow only one session per IP, and track IP.


For a web app the web container maintains session via
cookies or URL rewriting without any user code.

For a traditional fat client - server daemon context
a permanent socket seems as the most obvious.

Arne

PS: IP check is not good because multiple valid users can be
sitting behind the same NAT firewall.
 
Reply With Quote
 
 
 
 
Mark Space
Guest
Posts: n/a
 
      01-28-2009
Roedy Green wrote:
> What schemes have you seen/conceived of for a server to keep track of
> which login session a client is?
>
> 1. have the client send in a cookie containing the session id with
> each request.


Good.

>
> 2. keep a TCP/IP stream open.


Will be annoying for users on poor connections, since each time they
loose a connection they'll have to log-in again.


>
> 3. allow only one session per IP, and track IP.


As Arne pointed out, almost all forms of gateways and routers in popular
use will break this. They all re-use one IP address for a group of
client machines. Only source port+IP address is guaranteed to be
unique. Also, one client can attach multiple times on a different
socket and will use the same IP address. This could create concurrency
problems for your app if you don't handle this carefully.

 
Reply With Quote
 
alexandre_paterson@yahoo.fr
Guest
Posts: n/a
 
      01-28-2009
On Jan 28, 1:36 am, Arne Vajhøj <(E-Mail Removed)> wrote:
> Roedy Green wrote:

....
> PS: IP check is not good because multiple valid users can be
> sitting behind the same NAT firewall.


Indeed!

An for Webapps it's even worse than that. One session per IP not
only fails for the reason you mentionned, but it will also fail
because it's also perfectly valid (and very common --anyone
monitoring successful websites has encountered that), to have
different requests --even for elements on a same webpage-- coming
from different IPs for a single user.

You may even have all GET requests coming from one IP and all
POST requests coming from another IP for a single user.

Alex


 
Reply With Quote
 
Mark Space
Guest
Posts: n/a
 
      01-28-2009
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> different requests --even for elements on a same webpage-- coming
> from different IPs for a single user.


Are you sure about that? I've heard of different requests from the same
user from the same IP, but not from the same user and different IPs.
What network configuration would actually yield that type of event?

I guess a really big NAT, with multiple machines, each with it's own IP
address, NATing the same user through different machines... Hmmm, tricky....

Yeah, I could see that... cookies or old single session connections it
is then.

 
Reply With Quote
 
angrybaldguy@gmail.com
Guest
Posts: n/a
 
      01-28-2009
On Jan 27, 8:26*pm, Roedy Green <(E-Mail Removed)>
wrote:
> What schemes have you seen/conceived of for a server to keep track of
> which login session a client is?
>
> 1. have the client send in a cookie containing the session id with
> each request.
>
> 2. keep a TCP/IP stream open.
>
> 3. allow only one session per IP, and track IP.


4. HTTP auth, which sends credentials or a token with every request.
It's similar to 1, but implemented differently.

-p
 
Reply With Quote
 
cutiebabe08@gmail.com
Guest
Posts: n/a
 
      01-28-2009
On Jan 28, 9:35*am, (E-Mail Removed) wrote:
> On Jan 27, 8:26*pm, Roedy Green <(E-Mail Removed)>
> wrote:
>
> > What schemes have you seen/conceived of for a server to keep track of
> > which login session a client is?

>
> > 1. have the client send in a cookie containing the session id with
> > each request.

>
> > 2. keep a TCP/IP stream open.

>
> > 3. allow only one session per IP, and track IP.

>
> 4. HTTP auth, which sends credentials or a token with every request.
> It's similar to 1, but implemented differently.
>
> -p


Hello...

I would like to ask you a simple question.

I have this problem. One guy has been hecked my account twice from
now. I know he is going to be coming back. I had my account back
because my other friends scolded him and told him to give me back my
password. I am getting frustrated a lot. I do not wish to encounter
this problem again. I made the most strongest passwords ( believe me
I'm good at creating strong passwords). I made the security questions
for password. He is like programmer.. who knows how to heck people
accounts. And I need a professional help to make sure, he won't do
this again. How can I do it? How should I report this person to google
company? Is there any better way?
My gmail accounts are very personal. He keeps bothering me a lot.
Please help me.

If this isn't the question you should be answering, where should I ask
this question?
Please help

Thanks a lot
 
Reply With Quote
 
Arne Vajhøj
Guest
Posts: n/a
 
      01-28-2009
(E-Mail Removed) wrote:
> I have this problem. One guy has been hecked my account twice from
> now. I know he is going to be coming back. I had my account back
> because my other friends scolded him and told him to give me back my
> password. I am getting frustrated a lot. I do not wish to encounter
> this problem again. I made the most strongest passwords ( believe me
> I'm good at creating strong passwords). I made the security questions
> for password. He is like programmer.. who knows how to heck people
> accounts. And I need a professional help to make sure, he won't do
> this again. How can I do it? How should I report this person to google
> company? Is there any better way?
> My gmail accounts are very personal. He keeps bothering me a lot.
> Please help me.
>
> If this isn't the question you should be answering, where should I ask
> this question?


Unless the web app in question is coded in Java and you have
access to change the code in the web app, then this is not
the right forum.

Arne
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      01-28-2009
On Wed, 28 Jan 2009 11:06:16 -0800 (PST), (E-Mail Removed) wrote,
quoted or indirectly quoted someone who said :

>I have this problem. One guy has been hecked my account twice from
>now. I know he is going to be coming back. I had my account back
>because my other friends scolded him and told him to give me back my
>password. I am getting frustrated a lot. I do not wish to encounter
>this problem again. I made the most strongest passwords ( believe me
>I'm good at creating strong passwords). I made the security questions
>for password. He is like programmer.. who knows how to heck people
>accounts. And I need a professional help to make sure, he won't do
>this again. How can I do it? How should I report this person to google
>company? Is there any better way?
>My gmail accounts are very personal. He keeps bothering me a lot.
>Please help me.


If he is guessing your password, try using an 8-char password created
by this program http://mindprod.com/applet/password.html

If he is hacking into the server, that is the problem of whomever
manages the server. Tell them what is happening and ask them to apply
whatever security patches there are for their OS.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"Here is a point of no return after which warming becomes unstoppable
and we are probably going to sail right through it.
It is the point at which anthropogenic (human-caused) warming triggers
huge releases of carbon dioxide from warming oceans, or similar releases
of both carbon dioxide and methane from melting permafrost, or both.
Most climate scientists think that point lies not far beyond 2°C (4°F) C hotter."
~ Gwynne Dyer
 
Reply With Quote
 
Roedy Green
Guest
Posts: n/a
 
      01-28-2009
On Tue, 27 Jan 2009 17:26:15 -0800, Roedy Green
<(E-Mail Removed)> wrote, quoted or indirectly quoted
someone who said :

>What schemes have you seen/conceived of for a server to keep track of
>which login session a client is?


summarising what I have learned:

You might wonder how after the login is complete that the server can
tell if messages coming in from the Internet are from people who are
already logged in. There are a number of ways of doing it. Some you
might think would work don’t.


1. By IP. You might think the server could just check if an IP in a
message header was from someone logged in. This does not work because
IPs are shared. Everyone in your home on the LAN, when the access the
Internet comes from the same IP, the IP of your router.

2. By TCP/IP session. You might think the server would just check that
the message came in on the same TCP/IP session as the user logged in
on. This won't work since you often connect with multiple sessions,
and you would not want to have to relogin just because a session
tanked.

3. Basic. The server sends you id/password with every request that is
restricted. This method is not secure since the id/password pair is in
plain text for any snoop to see.

4. NTLM. This is a Microsoft proprietary protocol than will only work
with Microsoft servers and clients. I don’t know how it works. Java
supports it.

5. By Cookie. The server sends a cookie at login time, and the user
includes this cookie with each message to the server. This method is
not secure since anyone snooping can spoof the user by just copying
the invariant cookie. Further, the client’s browser must be configured
to accept cookies, a practice which invites all manner of malicious
spying.

6. By HTTP auth digest. RFC 2617 Here each incoming message is
digitally signed in an unforgeable way. The disadvantage of this
approach is it takes a bit more CPU time to compute the digests and
requires the more transmission overhead. The advantage is it is the
most secure method without resorting to a fully encrypted data stream.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"Here is a point of no return after which warming becomes unstoppable
and we are probably going to sail right through it.
It is the point at which anthropogenic (human-caused) warming triggers
huge releases of carbon dioxide from warming oceans, or similar releases
of both carbon dioxide and methane from melting permafrost, or both.
Most climate scientists think that point lies not far beyond 2°C (4°F) C hotter."
~ Gwynne Dyer
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tracking user logins with Session_End or other Ron J ASP .Net 3 05-13-2008 06:04 PM
Wireless link not established until user logins on Windows 2000 Server Rob Nicholson Wireless Networking 2 11-29-2005 07:16 PM
Tracking Someone Tracking Me Edw. Peach Computer Security 4 07-07-2005 05:50 PM
Disallowing Logins to Routers Matt Cisco 1 05-21-2004 03:55 PM
Does PIX 515, Version 6.3.1 Support simultaneous logins? Jason Cisco 2 04-28-2004 07:21 PM



Advertisments