Well, the first place you went wrong was when you decided to write your own login instead of using the
J2EE standard security system. Do-it-Yourself security systems are horribly insecure. In all the years I've worked with J2EE, I've never run across one that couldn't be cracked in fairly short order.
However, your more immediate problem is that you forgot to return "true" from your validation Javascript.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.