Forums Register Login

Login thing

+Pie Number of slices to send: Send
Hello there,
I have a very simple login jsp that connects to an Oracle database. I want to be able to save the username that the user enters and then use it in subsequent pages for database queries. How should I go about this?
Here is the login page.
<%@ page language ="java" import="java.sql.*,oracle.jdbc.*" %>
<html>
<body bgcolor="white">
<H2 align=center>WIT Final Year Computing Projects Management System</H2><hr><br><H4 align=center>Log In Here</h4><br><p>
<form name="f1" method="post">
<TABLE cellSpacing=0 cellPadding=3 width="100%" align=center border=0><TBODY>
<TR vAlign=top>
<TD align=right width="40%"><B>User Name</b></td><td><input type="text" name="t1" ></td>
</TR>
<TR vAlign=top>
<TD align=right><B>Password:</B></TD>
<TD><input type="password" name="t2"></td>
</tr>
<TR vAlign=top>
<TD align=middle colSpan=2>
<TR vAlign=top>
<TD align=middle colSpan=2><input type="submit" name="b1" value="Log In"></td>
</tr>
</TBODY></table>
<%
String user=request.getParameter("t1");
String pass=request.getParameter("t2");
try{
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con=DriverManager.getConnection("jdbc racle:thin:@witnt07.wit.ie:1521 rawit","25CSD03", "25CSD03");
Statement st=con.createStatement();
ResultSet rs=st.executeQuery("select a_id,password from admindetails");
while(rs.next())
{
String username=rs.getString(1);
String password=rs.getString(2);
if(user.equals(username) && pass.equals(password))
{%>
<jsp:forward page="indexadmin.html"/>
<%}
else
%>
<jsp:forward page="loginfailed.html"/>
<%
}
}catch(Exception e1)
{}
%>
</form>
</body>
</html>

Thanks,
Ray (In a bad mood!)
+Pie Number of slices to send: Send

That should do the trick nicely.
+Pie Number of slices to send: Send
How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)
+Pie Number of slices to send: Send
I think a better way can be adopted by modifying the SQL a bit:

Does this better?
Nick.
+Pie Number of slices to send: Send
In addition, if you need to execute SQL statement via JSP, it is better to use PreparedStatement, instead of using Statement.
Depending on the usage of Statement, there maybe a security issue for hackers to obtain DB data.
Nick.
+Pie Number of slices to send: Send
 

Originally posted by Ray Godfrey:
How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)


that's all you need to persist the data across requests. It will exist until the session times out (timeout interval is set in server or webapp configuration files) due to there being no request from the same browser instance for the timeout period or when you call session.invalidate().
You can access them by using session.getAttribute("username") (for example).
The session variable is automatic in JSPs, in a servlet you'd have to use request.getSession() first to retrieve the session from the request.
+Pie Number of slices to send: Send
 

Originally posted by Nicholas Cheung:
I think a better way can be adopted by modifying the SQL a bit:

Does this better?
Nick.


Yes, that would be slightly faster and more secure (protecting against the ResultSet being null, which according to the JDBC specs should never happen but I have encountered it in the past is a good idea). Other than that it doesn't affect the problem at hand so I omitted the extra check.
+Pie Number of slices to send: Send
Hi Ray:


Is it setting up a session variable?


NO. A session variable is already implicitly declared. You are not required to define it, but you can use it. In fact, there are 9 implicit variables that can be used without declaring.
1. request
2. response
3. exception (the attribute errorPage inside page directive must be true)
4. session (the attribute session inside page directive must be true)
5. page
6. pageContext
7. application (the servlet context)
8. config
9. out


Or does the variable exist until the user closes the window?


session variable is destroyed, when the session is invalidated. If the browser simply closed without any signals sent to the server, the session still there, until the timeout period reaches.


And is that all the code I need?


Depends on what you want to store. In fact, you can see that the session can store ANY Java objects, not just strings. Thus, if you want, you can do this:

When you get it back from the session, you can trace who is the current user.


And finally how do I access it?


You can access it by:

Hope this help.
Nick.
+Pie Number of slices to send: Send
 


Yes, that would be slightly faster and more secure


yes. This is our practice while connecting to DB via JDBC.
The maniplication of the ResultSet is not really important, the key point in the suggestion is to use PreparedStatement, instead of Statement, for security reason.
Nick.
+Pie Number of slices to send: Send
Another nice addition I've used for security as well as flexibility is to store all SQL outside the Java/JSP source in a ResourceBundle or XML file and access it from there.
That way even if the JSP gets compromised in some way and the code sent out over the net the actual SQL code is never seen by the client as it's hidden in an area that's not accessible through HTTP requests.
If a cracker compromises the server and gets root access through telnet all bets are off of course but that was the case anyway.
+Pie Number of slices to send: Send
Speaking of security, I would definitely avoid having a password floating around as a session variable. The only time the password should be on the wire is when it is sent from the client to the server for authentication purposes. After successful authentication, you should not need the password anymore. Of course, you'll want to implement SSL during the login to ensure that when the password does go over the wire, it is encrypted.
WS
+Pie Number of slices to send: Send
The password is never sent over the wire if stored in the session.
That's a common misconception that's patently false.
Only the sessionID is ever sent to the client.
I do agree that the password should be encrypted.
In fact, I'd say the password should be MD5 encrypted before storage, then the entered password encrypted and compared with that.
Of course you'd not need the password after that, but as it was the question...
+Pie Number of slices to send: Send
In fact, the most easiest way is to store only the userid, and a token indicates that whether the user can login, other than that, unless specified, no additional info should be stored.
Nick.
Poop goes in a willow feeder. Wipe with this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com


reply
reply
This thread has been viewed 1808 times.
Similar Threads
user validation page
Login Validation In JSP
problem in jsp !!!
validation
Login JSP if condition and redirecting issue
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 19, 2024 05:15:51.