Alternative to passing userid & password through Java applet?
The applet will help the user to create java class objects which will be sent to the PHP server, which will store the object as a blob in a MySQL database. The reverse should work too - reading the data back.
The user will have to be logged into the PHP server anyway to view this applet. But at the same time I don't want to leave the applet 'open' to have access to the database (through PHP) without a password.
The connection will be like this: Java Applet -- send URL stream --> PHP Script -- Authenticate -- if valid connect to DB --> MySQL DB
I want this process to authenticate the user but at the same time I don't want the user to have to log in again after having logged into the website, and at the same time I don't want the Applet to store any secure information because thats not safe.
Is there a way around here? Or will I have to look for an alternative? (If so, what alternative?)
Your applet should have the ability to read cookies from the page it is displayed on. So, assuming the user has authenticated into the webpage, you could have it grab a session ID (or whatever) from the page, and use that to 'authenticate' into your server. However, bear in mind that unless you're using an encrypted session (https), these cookies can be read in transit by 3rd parties. Also, you need to be aware that any 3rd party scripts on your page will also be able to read these cookies.
I don't think this is as ideal from a security standpoint as having the user authenticate to the database again, but this is an alternative you can use.
The applet call should enter the same HTTP session that has already been created by server when user entered the site.
The session is created by server and server sends the session ID as a special Cookie. In case of java based servers it is typically jsessionid. The server sends cookies using HTTP response header named Set-Cookies. Client should send all the cookies back using header Cookies.