Offline Authentication with GWT

0
votes

I came across this online document, and from there there is slide about GWT Offline authentication:

When online, authentication is done by the server.

  • We should then be able to re-authenticate him/her without the server. Be careful ! Local storage completely unsecure !

  • We thus store the user’s password in the browser, salted and crypted with SHA-3.

    Find a Java SHA-3 implementation, copy-paste in the project :
    String shaEncoded = SHA3.digest( String clearString );
    Offline HTML5 apps with GWT 18

The questions are:

  1. Is it really possible to securely authenticate a GWT application with this approach? If it's SHA-3 encoded would it really make it secure?
  2. When user gets authentiated in the browser, then user uses the offline app, say save stuff, then surely it is just stored in the HTML5 Storage, however with the User info embedded perhaps in anything saved. Thus, when app gets back online, it will sync to the server. How is this secure? Would the server just accept that the thing it is syncing really is from the right user?
2
javahtmlauthenticationgwt

2 Answers

0
votes

There is no special case for offline regarding authentication. It works the same as with online.

You will usually have a Cookie with session information stored in your Client's browser which is used to authenticate the client with the server (when you are making a request). As long as the session information is persistent on the backend, you can re-authenticate the user.

You must not store the password on the client side. Its is enough to store some session information on the client (either in a Cookie or LocalStorage) and use that to authenticate the user.

0
votes

Actually you are not storing the password itself in the browser, but its SHA-3 hash. From a cryptography perspective this approach is very secure as it is not easily possible to retrieve the original password.

Just note: Your code will be stored on the client side and every source code on the client can be tampered with. So also a malicious user might be able to read and exploit it. But don't worry, for the ordinary use case of an offline usable application, this is secure enough.

What I would do for long running server sessions: Generate a random ID on the server side, associate it with the user and store it i.e. in a database. Set the ID as a cookie on the client and re-authenticate the user whenever he is not logged in and still has this ID in a cookie. To limit the amount of time you can add a timeout value on the server side after which the ID is discarded.