Authentication with
any sort of self-invented security system is a
bad choice. It's a lot of extra work and I'll accept good odds that it won't actually be secure.
There's a perfectly useful security system built into
J2EE and any good book on J2EE will tell you how to setup web.xml to use it. In most J2EE servers, it will attempt to pass a session identifier that anchors both your session data and the server security data, and that session ID is in a cookie unless the user has cookies turned off. However, the J2EE session manager handles that cookie itself, and application programmers don't have to do anything with it. In fact, they can't, since the session ID is useless except to the server itself.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.