It's not a secret anymore!
The moose likes JSP and the fly likes How to Remember Me? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSP
Bookmark "How to Remember Me?" Watch "How to Remember Me?" New topic

How to Remember Me?

Mick Nickel

Joined: Jun 26, 2006
Posts: 1
I've been working on a small web-app for some fun and practice, and I want to introduce a 'Remember Me?' button on the login page. When set, some data is stored in a cookie so the user doesn't have to log-in next time.

But I'm not quite sure at the moment what value to store in the cookie. My first thought is to call the cookie 'mydemosite_remember' or something, and the value would be the a string consisting of the username, followed by some delimiter, followed by some unique identifier. Should the unique identifier just be some randomly generated string of alphanumerics that I store in the database?

I was thinking alternatively of creating a hash of a random String (which I store in the database) concatenated with the user's IP. This would then prevent someone from just copying someone else's Cookies and bypassing their authentication. However, I'm guessing this would prove an issue with people who have dynamic IPs.

Has anyone implemented such a feature? Any advice on a sensible path to take with it?
Darren Edwards
Ranch Hand

Joined: Aug 17, 2005
Posts: 69
All you really need is to generate some random string which the server can use to lookup the rest of the user details. There is no need to store username, ip hash or anything like that on the user side.

As you say this is only for fun and practice, but it raises the question of what level of trust do you give to a user who has been authenticated without entering their username or password?
I agree. Here's the link:
subject: How to Remember Me?
It's not a secret anymore!