How can I secure a JSP page after adding it to my hosting and making it live?

Question

I have a very basic login JSP that passes the variables to the servlet and checks from a MySQL DB if the username and password are available. Is this secure enough to use on a website, or does it need more security? If so, how to make it more secure?

This is the servlet:

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.sql.*;

/**
 * Servlet implementation class loginServlet
*/
@WebServlet("/loginServlet")
public class loginServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

/**
 * @seeHttpServlet#HttpServlet()
 */
public loginServlet() {
    super();
    // TODOAuto-generated constructor stub
}

/**
 * @seeHttpServlet#doGet(HttpServletRequest request, HttpServletResponse
 * response)
 */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // TODOAuto-generated method stub
}

/**
 * @seeHttpServlet#doPost(HttpServletRequest request, HttpServletResponse
 * response)
 */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    HttpSession session = request.getSession();
    String email = request.getParameter("email");
    String pwd = request.getParameter("pass");
    try {
        Class.forName("com.mysql.jdbc.Driver");
        Connection con =
                DriverManager.getConnection("jdbc:mysql://localhost:3306/logindb",
                "root", "password");
        Statement st = con.createStatement();
        ResultSet rs;
        rs = st.executeQuery("select fname, lname, email from userAccount where Email='"
                + email + "' and password='" + pwd + "'");
        if (rs.next()) {
            session.setAttribute("email", email);
            session.setAttribute("Fullname", rs.getString(1) + " " + rs.getString(2));
            response.sendRedirect("success.jsp");
        } else {

            response.sendRedirect("fail.jsp");
        }
    } catch (Exception ssd) {
        System.out.println(ssd.getMessage());
    }
}
}

Answer 1

There are several security issues, and programming problems, with this code:

• unless the application is served over HTTPS, the password passes in clear text over the network
• passwords should not be stored in clear in a database. They should be salted using a random salt, and then hashed using a slow cryptographic algorithm like bcrypt. To check the password, you should salt and hash the input from the user, and compare the result with the salted and hashed password stored in the database
• your code doesn't use prepared statements, opening itself to SQL injection attacks
• your code doesn't use prepared stataments, which will make it fail, for example, as soon as there is a single quote inside the email or the password.
• you shouldn't catch Exception. Only catch exceptions that you can handle, and that are supposed to happen. For unexpected exceptions, displaying a generic error page is fine. For expected exceptions, you should handle them. Your catch block logs something in the server console, and leaves the user with a blank page.