Login/Logout seems like a simple operation in web application. However small information left behind can give a chance of security breach to hackers. Here is a simple and minimal workflow which we should ensure while implementing login/logout functionality in web applications.
- Have a Security Manager on the Gateway which can authenticate and possibly authorize every new request to server. For example, it could be a ServletFilter.
- It should authenticate every new request to check whether user is logged in or not.
- If yes, does current request URL exists?
- If yes, does user have rights on current requested URL?
- If request is passed through Security Manager, the login manager should do following:
- Clean the existing session for all application specific information.
- Invalidate the session using session.invalidate.
- If request is for login
- Check if user exist for given user name and password.
- If not, return to right page with message
- If yes, go ahead
- Create a new session, for example, request.getSession (true)
- Fill the session with all application specific information for current user like all UI structure for which current user is authorized.
- Forward the request to home page of request application or module
- If request is for logout
- Forward the request to logout message page
This is the minimal workflow to ensure the basic principles, however a lot can be added to implement the application specific security checks and to support the application structure. Like as an extension, the Security Filter which is sitting at gateway can interact with a security service to validate the current request for authentication and authorization. Similarly Login/Logout implementation can interact with Security Service to authenticate the login information and later to retrieve the user specific application settings, for example, the menu structure and UI look etc.
This brief information may help in concept building and in basic architecture design.