I am trying to create a registration page using servlets. I have created a basic HTML page which has a form with input for username and password. Now what I need to do is store the information submitted to the form using cookies/sessions. Then on the log-in page, a user must be able to login using the information they provided earlier. So basically I need to know how to store the username and password.
So if I were register with the username: admin and password 123, and then register with the username: user and password: 12345, I shouldn't be able to login with admin and 12345 or user and 123. Thanks!!
HTML FORM
<html>
<head>
<title>Registration</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body bgcolor="lightblue">
<center>
<h1></h1>
<br>
<hr>
<br><br>
<form action="/Registration" method="get">
<h3> Please register to start </h3>
Username: <input type="text" name="userName">
<br>
Password: <input type="password" name="password">
<br>
<br>
<input type="submit" value="Register">
<br><br>
</form>
</center>
</body>
</html>
JAVA SERVLET
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
// Create cookies for first and last names.
Cookie userName = new Cookie("userName",
request.getParameter("userName"));
Cookie password = new Cookie("password",
request.getParameter("password"));
// Set expiry date after 24 Hrs for both the cookies.
userName.setMaxAge(60*60*24);
password.setMaxAge(60*60*24);
// Add both the cookies in the response header.
response.addCookie( userName );
response.addCookie( password );
To add cookie in response, use addCookie(Cookie) method of HttpServletResponse interface. To fetch the cookie, getCookies() method of Request Interface is used.
Since HTTP and Web Server both are stateless, the only way to maintain a session is when some unique information about the session (session id) is passed between server and client in every request and response. There are several ways through which we can provide unique identifier in request and response.
For login cookies, there are two common methods of storing login information in cookies: a signed cookie or a token cookie. Signed cookies typically store the user's name, maybe their user ID, when they last logged in, and whatever else the service may find useful.
The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives.
Cookies are stored on the client side and are sent to the server with each request. It is not good practice to add passwords in cookies because they are easily intercepted and in many cases stick around in the users browser even after they leave the site.
You should be relying on a session, Java EE allows you to create a session with the user where by it will store a session id that is then sent with each request instead. You can store information about that user on the server instead.
Using your code here is how you can create a session.
// get the session, add argument `true` to create a session if one is not yet created.
HttpSession session = request.getSession(true);
session.setAttribute("userName", request.getParameter("userName"));
session.setAttribute("password", request.getParameter("password"));
// to get the username and password
String userName = session.getAttribute("userName");
String password = session.getAttribute("password");
Now of course if you do things this way when you clear your servers cache usernames and passwords will be erased. Also non encrypted passwords in the servers cache certainly has security concerns.
Edit:
If 2 people were to use the same computer then no, the code above would not work well. This is because the users credentials are only stored in the session, there is nothing that persists after the session is destroyed or the data in the session is overwritten. Imagine the session is a object that is directly tied to each user. So right now i'm on StackOverflow where somewhere in their code there is a special object just for me and my browser (the session!), in the session object there is something else that says that current logged in user is me. I challenge you to think about how you could store the users credentials outside the session and instead store the currently logged in user inside the session.
To learn more about sessions and how they work there's a great answer here: What are sessions? How do they work? .
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With