I'm trying to implement simple password-based authentication for a web application written using the Happstack framework. My user presents an ID and password, which I hash using bcrypt and check against by database. If the hashed password is in the database for that ID, the user is thereby authenticated.
Once I've authenticated the nice user, I would like then to issue a session cookie which marks that user has being logged in for the duration of the session. (I am not trying to implement a "persistent", "remember me" sort of cookie; I am just trying to find out if the user is logged in for the session.)
Is the presence of the session cookie alone sufficient to authenticate the user? If not, what other information is needed? I could store the cookie's (hashed) value in my database, but at this point, I don't see how what I would be doing would be much different from a persistent login cookie.
In short, is it possible for me to use a session cookie to identify an authenticated user, and if so, how should it be done?
(I have been able to learn how and why to mark the session cookie as "secure" and "HTTP only", but I can't figure out what to do with the darn thing!)
You can use happstack-authenticate for an existing solution to password logins. If you still want to roll your own however you'll want the happstack-clientsession package for session cookies that the user can't read or write. A normal cookie marked "secure" only means it only works over HTTPS, but the user can still both read and write the cookie. With clientsession the cookie will be encrypted with a server-side key. You can use clientsession both for "remember me" and session logins; it simply depends on what you set the
sessionCookieLifeto. The default if you usemkSessionConfisSessionwhich is what you want.