Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Auto Login By Username in Cookie

 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Suppose we store the authentication info in cookie so that user would be auto authenticated next time he return. But if we are using form based declarative authentication, we must explicitly access a constrained resource in order to trigger the container to return the login form.

How do we use the cookie to supply the credential to the container?
 
Eddy Lee Sin Ti
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You could create a Filter that checks the validity of the login credentials in client cookies before forwarding the request to the targeted resource.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Always be careful about accepting any information from the client, even in cookies. This doesn't necessarily answer your question, but if you implemented a solution where the cookie contained just the username and no other data, users could hack other accounts by modifing the cookie sent.
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply. But I still have questions. When we do form-based authentication, these steps are involved normally:

1. user requests constrained resource.

2. container sees the constrained resource and returns the login form and
somehow enter a mode expecting the 'j_security_check' URL.

3. user submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.

The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.

This comes to my problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It sounds like you're trying to bypass the form based authentication. My thoughts are: don't. If the user wants to cache the credentials in the browser then this is should be sufficient.

Other than this, you may be able to set sessions not to expire and change the cookie from a session cookie to a regular persistent cookie, but this is not something I am comfortable suggesting.

You should require users to log in, otherwise your site is not secured.

Dave
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Just as an adendum, you may want to look into other forms of authentication such as certificate based and see if this is a better fit to your requirements.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic