thanks for your reply joe actually i cannot undertand your reply sorry for that but i would like to tell you that i have used Hashing&Salting method but the problem is i am using sessions even after invalidating them my project stop working due to sessions problem only
These are the problems as I see them:
1) You are creating a new hash each time a user comes to login, however you should either be a) Using a system-wide salt where all users are given the same salt. b) Generating a random salt for each user and storing that in the database and using it when they attempt to log in. c) use another property (such as username) as the salt.
As you can probably guess, b) would probably the the best.
So you should not have this: on your userLogin.jsp
2) In your checking code you have: You seem to be hashing and salting the password that you are retrieving from the database, but you should be hashing and salting the password that the user has entered and then comparing that to the password you have stored in the database (which should have already been hashed and salted - which is why you always need to use the same salt...).