Re(2): Re(2): [JDEV] Re-using session - is it po ssible?
Sebastian Paul Avarvarei
proteus at proteusworld.com
Mon Sep 16 05:50:00 CDT 2002
Thanks to all the people who pitched in to help. This is indeed a great community.
In the end I decided to go with the following implementation method: when the user will login on the website, an unique session ID will be generated for him and stored in the database, together with the user's password. If the user starts the Jabber client applet, the applet will use the session ID to fetch the password from the database and authenticate against the Jabber server.
I admit, this solution is particular to the website I build and it's not extremly secure. Then again, the website login is done through normal HTTP (not HTTPS), so the password can be sniffed anyway. But the website doesn't require an extremly high level of security as it doesn't contain sensitive data, to justify the extra cost of developing more enhanced security.
There are ways of enhancing the security of this solution, e.g. maybe the website session ID can be linked to member's IP address, and the Jabber applet won't query directly the database, instead will ask the password from a PHP script which will check again the IP.
But for now this is the method I'll choose, due to time and budget constraints.
Thank you again for all your help.
More information about the JDev