• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Auto Login By Username in Cookie

 
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Suppose we store the authentication info in cookie so that user would be auto authenticated next time he return. But if we are using form based declarative authentication, we must explicitly access a constrained resource in order to trigger the container to return the login form.

How do we use the cookie to supply the credential to the container?
 
Ranch Hand
Posts: 135
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could create a Filter that checks the validity of the login credentials in client cookies before forwarding the request to the targeted resource.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Always be careful about accepting any information from the client, even in cookies. This doesn't necessarily answer your question, but if you implemented a solution where the cookie contained just the username and no other data, users could hack other accounts by modifing the cookie sent.
 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply. But I still have questions. When we do form-based authentication, these steps are involved normally:

1. user requests constrained resource.

2. container sees the constrained resource and returns the login form and
somehow enter a mode expecting the 'j_security_check' URL.

3. user submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.

The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.

This comes to my problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It sounds like you're trying to bypass the form based authentication. My thoughts are: don't. If the user wants to cache the credentials in the browser then this is should be sufficient.

Other than this, you may be able to set sessions not to expire and change the cookie from a session cookie to a regular persistent cookie, but this is not something I am comfortable suggesting.

You should require users to log in, otherwise your site is not secured.

Dave
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just as an adendum, you may want to look into other forms of authentication such as certificate based and see if this is a better fit to your requirements.
 
We can walk to school together. And we can both read this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic