I want to add cookie functionality to TheServerSide so that people don't have to log in all the time, kind of like on JavaLobby.org.
I was thinking of creating a cookie that stores a user's ID, and a hashcode of their password (this would prevent people fiddling with their cookie and assuming the identity of someone else). Pretty simple so far, now the problem is, how and when do I use this cookie on TheServerSide?
When should the server check to see if the cookie exists? On every web request? I would like to have a "You are logged in as ..." on every page. This means that either the server will read the cookie on every request, or read it once and "login" the user (so it would have to query a session bean for user's name on every request). How will this affect my servlet session, and ejb timeouts?
Depends on how your login servlet works. What I usually do is create an AuthenticatedServlet base class that stores your credentials in the session. I then extend this class for each servlet in the system. Thus every request is validated in the base service() method before it is allowed to continue. If there are no login credentials in the session, the user is redirected to a login page before prcoeeding. If however, a hashed cookie is found this is used to log the person in, populating the session with their credentials.
I am assuming that you guys are not using the built in J2EE security?
We are not using built in J2EE security, since WL 4.5.1 doesn't have J2EE support. When we upgrade to 5.1, we may switch to using the security support.
Hi friend ,
This is guda. I am presently working on a portal system.
I want to keep track the session with userid and password. and also i have to allow the user to view all pages without again relogin.. may be by using cookies..i too dont know corectly..if login expires or if the user is not the correct user.. then he must login... so for this i need some example code pls can u send for me ...
Thank you for ur cooperation.
This is how I do it too. Also, with regards to the timeout Floyd asked about, on each web request I reset the timeout - probably don't have to do it that way, but I do. That way, if the timeout is 15 minutes and a logged in user is actively moving around the site for 15 minutes +, they aren't suddenly sent to the log in page upon their next request.