This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Building Blockchain Apps and have Michael Yuan on-line!
See this thread for details.
Win a copy of Building Blockchain Apps this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

creating secure Java apps

Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,

I'm looking to create a secure webapp using Java. It will have a very basic username/password login
which will redirect to a 'secure' area.

You can only access the pages under this secure area if you are logged in, otherwise you will be redirected
to the login JSP.

Now this is the first time I've tried this and I have collected my ideas and info from various webpages, so it is
possible i'm completely off track here.

What I've tried to do is write two small pieces of code, one is in the LoginServlet which creates a cookie, with a
name and userid (encoded). the other piece is in an 'include file' which every page under the secure area uses.

This simply looks to see if the cookie exists for that user and if it does fine, otherwise redirect to the login page.

Seems quite straight forward to me, but the problem is, if I go directly to a 'secure' apge (and there is no
cookie present) the page still opens up.

Here are the two pieces of code

LoginServlet code to create cookie:

try {
String strUserID = String.valueOf(iUserID);
Cookie cookie = new Cookie("UserID",URLEncoder.encode(strUserID));
cookie.setMaxAge(3600); // expires after 1 hour
cookie.setValue(strUserID); //always update in case change of ID
} catch (Exception exC) {
System.out.println("[LoginServlet] Failed to create cookie: " +exC);
throw new ServletException(exC.getMessage());

Include file code, to check cookie exists:
try {
session = request.getSession(true);
Cookie cookies[] = request.getKookies();
if (cookies != null) {
for(int i=0, n=cookies.length; i < n; i++) {
Cookie cookie = cookies[i];
if (cookie.getName().equals("UserID")) {
System.out.println("ession cookie found, user is logged in.");
} else {
System.out.println("No session cookie for user, user must first log in.");
} catch (Exception ex) {
System.out.println("Error finding cookie: " +ex);

As i say i could be completely off track with this, but I think it should be right.
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check via session.

Once the user got authenticated, put the username and password in the session of that particular user then check it on every request, whether the username and password exist or not. On logout, invalidate the session.

Although, you can do it with a cookie too. But if the cookie exists and user just open the page then the user can access your app, because the cookie already exists in the browser cache. Though cookies are made for this kinda behaviour.
Evil is afoot. But this tiny ad is just an ad:
Java file APIs (DOC, XLS, PDF, and many more)
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!