posted 18 years ago
In some sites like javaranch.com itself, you dont have to login everytime. After the user logon for the first time, a cookie will be created in the client storing the login information so that the user is automatically login we he returns. Let not focus on how secure this kind of cookie initiated login is (well, afterall who would hack your password in order to post a message in bulletin board). I would like to know how we could do this if the appli is using form-based authentication.
Recall that when we do form-based authentication, these steps are involved normally:
1. User requests a constrained resource.
2. Container sees the constrained resource and returns the login form and somehow enter a mode expecting the 'j_security_check' URL.
3. User submits the login form which looks like <form action=j_security_check> with 'j_username' and 'j_password' parameters.
The important point is in step 2, the container AUTOMATICALLY enters a mode accepting the j_security_check URL as special request for login - rather than normal URL. This step is important because if we directly submit a form with 'j_security_check' while the container is not expecting it, it is treated as a normal URL.
This comes to a problem, if I want my cookie (perhaps storing username & password) to trigger auto login, how can I cause the container to accept j_security_check to mean login attempt.