All geek questions in one place

Saving username, password using cookies / sessions - Java Servlets

I am trying to create a login page using servlets. I created a basic HTML page that has a form with a username and password. Now I need to save the information presented on the form using cookies / sessions. Then, on the login page, the user should be able to log in using the information provided previously. So basically I need to know how to save username and password.

So, if I logged in with the username: admin and password 123, and then logged in with the username: user and password: 12345, I could not log in with the administrator and 12345 or with the user and 123. Thank you!

HTML FORMAT

<html> <head> <title>Registration</title> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body bgcolor="lightblue"> <center> <h1></h1> <br> <hr> <br><br> <form action="/Registration" method="get"> <h3> Please register to start </h3> Username: <input type="text" name="userName"> <br> Password: <input type="password" name="password"> <br> <br> <input type="submit" value="Register"> <br><br> </form> </center> </body> </html>

JAVA SERVLET

 protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); // Create cookies for first and last names. Cookie userName = new Cookie("userName", request.getParameter("userName")); Cookie password = new Cookie("password", request.getParameter("password")); // Set expiry date after 24 Hrs for both the cookies. userName.setMaxAge(60*60*24); password.setMaxAge(60*60*24); // Add both the cookies in the response header. response.addCookie( userName ); response.addCookie( password );
+5
source share
1 answer

Cookies are stored on the client side and sent to the server with each request. It’s not good practice to add passwords to cookies because they are easily intercepted and in many cases remain in users’s browsers even after they leave the site.

You have to rely on the session, Java EE allows you to create a session with the user, where he will store the session identifier, which is then sent with each request. Instead, you can store information about this user on the server.

Using your code, you can create a session.

 // get the session, add argument `true` to create a session if one is not yet created. HttpSession session = request.getSession(true); session.setAttribute("userName", request.getParameter("userName")); session.setAttribute("password", request.getParameter("password")); // to get the username and password String userName = session.getAttribute("userName"); String password = session.getAttribute("password");

Now, of course, if you do this when you clear the servers, the cache usernames and passwords will be deleted. Also, unencrypted passwords in the server cache certainly have security problems.

Edit:

If 2 people were supposed to use the same computer, then no, the code above will not work well. This is because user credentials are stored only in the session, nothing is saved after the session has been destroyed or the data in the session has been overwritten. Imagine a session is an object that is directly attached to each user. So right now I'm on StackOverflow, where somewhere in my code there is a special object just for me and my browser (session!), There is something else in the session object that says that my current user is logged in. I urge you to think about how you can store user credentials outside the session and instead store the currently logged in user inside the session.

To learn more about sessions and how they work there, there is an excellent answer here: What are sessions? How do they work?

+4
source

Source: https://habr.com/ru/post/1204065/

More articles:


All Articles