It is MUCH better to let the server handle login. I have seen a lot of J2EE apps in the last 10 years, but I've yet to come across one with a user-designed security system that wasn't full of holes. It's far better to employ a pre-debugged, well-documented standard security architecture than it is to be "clever" and invent your own unique one with its own unique bugs. Although actually some of the bugs I've seen in DIY security were depressingly non-unique.
I'm really rather annoyed at the authors of Java books that start off their examples with a "login screen", since, as I've said, DIY security systems are rarely capable of withstanding 10 minutes worth of hacking.
Customer surveys are for companies who didn't pay proper attention to begin with.