0

I am writing a java program, where the user has to login with their username and password. I want to enable the user to stay logged in, so that the login procedure does not need to be done for every start of the program.

My current implementation for this is to use java.util.pref.Preferences and store the username of the last logged in person and store whether this person should be automatically logged in. This works, but can easily be manipulated, as you could manually modify the Preferences values (by changing the values in HKEY_CURRENT_USER). One could then save some username in the Preferences and save that this user should be auto-logged in, and therefore the password could by bypassed. So this does not seem like a proper secure implementation.

In what way can that be implemented securely, so that the password cannot be bypassed by manipulating the stored data (easily)?

Fay Boisam
  • 127
  • 4
  • 10
  • What about encrypt password and username? and when app read data, decrypt it? – KunLun Jan 16 '20 at 16:58
  • Where is your authentication layer? I mean when user enters the password for the first time, where is his/her password stored against what you are checking your user input? How are you protecting your password store against a malicious user? Given you have a good strategy for that, perhaps you can rely on the same strategy with autologin details? – Tarmo Jan 16 '20 at 19:39

1 Answers1

3

Use a specific encryption algorithm to put your username into your Preferences.

(Encrypt username and then put it into Preferences.)

Assume a normal scenario (when you put encrypted username into Preferences.)

  • Normal user requested.

    • application get the username
    • encrypt the username and put encrypted value into Preferences
    • get status of the user from Preferences (via encrypted username)

Assume an attack scenario

  • Attacker put his plain username in the Preference (the attacker is not aware of the usernames' cryptography)

  • Attacker requested

    • application get the username
    • encrypt the username and put encrypted value into Preferences
    • get status of the user from Preferences. (<encryptedUsername, status>)
      • status of this username is null.(the value of thekey does not exist)

encrypted username does not match with the plain username that the attacker had registered (had manipulated).

For more information about Encrypted Preferences, you can use below link

Encrypted Preferences in Java

Notice that you, you must take care of the encryption key, there are several ways to do this.

Key Management

Community
  • 1
  • 1
Mehrdad HosseinNejad Yami
  • 1,612
  • 1
  • 13
  • 24
  • 2
    Seems a bit security through obscurity. Where would you hide the encryption key? – Tarmo Jan 16 '20 at 19:34
  • @Tarmo https://stackoverflow.com/questions/8375385/store-encryption-keys-in-java-code – Mehrdad HosseinNejad Yami Jan 16 '20 at 19:44
  • 2
    Yes. This was exactly where I was going with my comment. If this is a fully offline desktop application (or at least the auth layer is in users computer) solving this problem with encryption is security through obscurity (which is ok only if the things you are protecting are not that important). In any other case a full PKI solution or server side authentication would make sense. – Tarmo Jan 16 '20 at 20:29