Suppose we store the authentication info in cookie so that user would be auto authenticated next time he return. But if we are using form based declarative authentication, we must explicitly access a constrained resource in order to trigger the container to return the login form.
How do we use the cookie to supply the credential to the container?
Always be careful about accepting any information from the client, even in cookies. This doesn't necessarily answer your question, but if you implemented a solution where the cookie contained just the username and no other data, users could hack other accounts by modifing the cookie sent.
Joined: Jan 28, 2004
Thanks for the reply. But I still have questions. When we do form-based authentication, these steps are involved normally:
1. user requests constrained resource.
2. container sees the constrained resource and returns the login form and somehow enter a mode expecting the 'j_security_check' URL.
3. user submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.
The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.
This comes to my problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.