Login thing

Hello there,
I have a very simple login jsp that connects to an Oracle database. I want to be able to save the username that the user enters and then use it in subsequent pages for database queries. How should I go about this?
Here is the login page.
<%@ page language ="java" import="java.sql.*,oracle.jdbc.*" %>
<html>
<body bgcolor="white">
<H2 align=center>WIT Final Year Computing Projects Management System</H2><hr><br><H4 align=center>Log In Here</h4><br><p>
<form name="f1" method="post">
<TABLE cellSpacing=0 cellPadding=3 width="100%" align=center border=0><TBODY>
<TR vAlign=top>
<TD align=right width="40%"><B>User Name</b></td><td><input type="text" name="t1" ></td>
</TR>
<TR vAlign=top>
<TD align=right><B>Password:</B></TD>
<TD><input type="password" name="t2"></td>
</tr>
<TR vAlign=top>
<TD align=middle colSpan=2>
<TR vAlign=top>
<TD align=middle colSpan=2><input type="submit" name="b1" value="Log In"></td>
</tr>
</TBODY></table>
<%
String user=request.getParameter("t1");
String pass=request.getParameter("t2");
try{
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con=DriverManager.getConnection("jdbc racle:thin:@witnt07.wit.ie:1521 rawit","25CSD03", "25CSD03");
Statement st=con.createStatement();
ResultSet rs=st.executeQuery("select a_id,password from admindetails");
while(rs.next())
{
String username=rs.getString(1);
String password=rs.getString(2);
if(user.equals(username) && pass.equals(password))
{%>
<jsp:forward page="indexadmin.html"/>
<%}
else
%>
<jsp:forward page="loginfailed.html"/>
<%
}
}catch(Exception e1)
{}
%>
</form>
</body>
</html>

Thanks,
Ray (In a bad mood!)

while(rs.next()) { String username=rs.getString(1); String password=rs.getString(2); if(user.equals(username) && pass.equals(password)) { session.setAttribute("username", username); session.setAttribute("password", password); %> <jsp:forward page="indexadmin.html"/> <%} else
That should do the trick nicely.

How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)

I think a better way can be adopted by modifying the SQL a bit:
... PreparedStatement ps = conn.prepareStatement(SELECT count(1) FROM admindetail WHERE username=? and password=?"; ps.setString(1, username); ps.setString(2, password); ResultSet rs = ps.executeQuery(ps); if (rs != null && rs.next()) { // you know the record is in the database // set session attribute } else { // login fail }
Does this better?
Nick.

In addition, if you need to execute SQL statement via JSP, it is better to use PreparedStatement, instead of using Statement.
Depending on the usage of Statement, there maybe a security issue for hackers to obtain DB data.
Nick.

Originally posted by Ray Godfrey:
How does this code work!?
session.setAttribute("username", username);
session.setAttribute("password", password);
Is it setting up a session variable?
Or does the variable exist until the user closes the window?
And is that all the code I need?
And finally how do I access it?
Ray(Slightly happier!)

that's all you need to persist the data across requests. It will exist until the session times out (timeout interval is set in server or webapp configuration files) due to there being no request from the same browser instance for the timeout period or when you call session.invalidate().
You can access them by using session.getAttribute("username") (for example).
The session variable is automatic in JSPs, in a servlet you'd have to use request.getSession() first to retrieve the session from the request.

Originally posted by Nicholas Cheung:
I think a better way can be adopted by modifying the SQL a bit:
... PreparedStatement ps = conn.prepareStatement(SELECT count(1) FROM admindetail WHERE username=? and password=?"; ps.setString(1, username); ps.setString(2, password); ResultSet rs = ps.executeQuery(ps); if (rs != null && rs.next()) { // you know the record is in the database // set session attribute } else { // login fail }
Does this better?
Nick.

Yes, that would be slightly faster and more secure (protecting against the ResultSet being null, which according to the JDBC specs should never happen but I have encountered it in the past is a good idea). Other than that it doesn't affect the problem at hand so I omitted the extra check.

Hi Ray:

Is it setting up a session variable?

NO. A session variable is already implicitly declared. You are not required to define it, but you can use it. In fact, there are 9 implicit variables that can be used without declaring.
1. request
2. response
3. exception (the attribute errorPage inside page directive must be true)
4. session (the attribute session inside page directive must be true)
5. page
6. pageContext
7. application (the servlet context)
8. config
9. out

Or does the variable exist until the user closes the window?

session variable is destroyed, when the session is invalidated. If the browser simply closed without any signals sent to the server, the session still there, until the timeout period reaches.

And is that all the code I need?

Depends on what you want to store. In fact, you can see that the session can store ANY Java objects, not just strings. Thus, if you want, you can do this:
UserObject uo = new UserObject(username, password); session.setAttribute("user_token", uo);
When you get it back from the session, you can trace who is the current user.

And finally how do I access it?

You can access it by:
UserObject uo1 = (UserObject) session.getAttribute("user_token");
Hope this help.
Nick.

Yes, that would be slightly faster and more secure

yes. This is our practice while connecting to DB via JDBC.
The maniplication of the ResultSet is not really important, the key point in the suggestion is to use PreparedStatement, instead of Statement, for security reason.
Nick.

Another nice addition I've used for security as well as flexibility is to store all SQL outside the Java/JSP source in a ResourceBundle or XML file and access it from there.
That way even if the JSP gets compromised in some way and the code sent out over the net the actual SQL code is never seen by the client as it's hidden in an area that's not accessible through HTTP requests.
If a cracker compromises the server and gets root access through telnet all bets are off of course but that was the case anyway.

Speaking of security, I would definitely avoid having a password floating around as a session variable. The only time the password should be on the wire is when it is sent from the client to the server for authentication purposes. After successful authentication, you should not need the password anymore. Of course, you'll want to implement SSL during the login to ensure that when the password does go over the wire, it is encrypted.
WS

The password is never sent over the wire if stored in the session.
That's a common misconception that's patently false.
Only the sessionID is ever sent to the client.
I do agree that the password should be encrypted.
In fact, I'd say the password should be MD5 encrypted before storage, then the entered password encrypted and compared with that.
Of course you'd not need the password after that, but as it was the question...

In fact, the most easiest way is to store only the userid, and a token indicates that whether the user can login, other than that, unless specified, no additional info should be stored.
Nick.