1

I have a login form on which there is an option "Keep me sign in" in. If user check this option and press the login button. Then i think i can save the username and password in a cookie and send it to user computer. Then when user open the site again , i can check whether that cookie is present in user computer or not , if it is then get the username and password from the cookie and sign in the user. But the problem is how can i send cookie to the user computer? As far as i know. You can set the cookie in that way

Cookie userCookie = new Cookie("userCookie", "loginUser");
//sessionCookie.setMaxAge(60 * 15);
userCookie.setPath("/");
httpServletResponse.addCookie(userCookie);

If i don't set the setMaxAge then it's a browser level cookie, i.e., when user closes the browser then the cookie will be deleted. How can i send that cookie to user computer and get from the user computer to automatically sign in?

Thanks

Basit
  • 8,426
  • 46
  • 116
  • 196
  • possible duplicate of http://stackoverflow.com/questions/5836413/cookies-for-remember-me-in-jsf. You can take a look at the attached links for implementation. – Ravi Kadaboina Jul 26 '12 at 14:34

1 Answers1

0

Either way, you should never, never, NEVER store the password in a cookie!

Here is a nice article about persitent cookies : Persistent Login Cookie Best Practice http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

The essentials from the article:

Premises

  • Cookies are vulnerable. Between common browser cookie-theft vulnerabilities and cross-site scripting attacks, we must accept that cookies are not safe
  • Persistent login cookies are on their own sufficient authentication to access a website. They are the equivalent of both a valid username and password rolled into one
  • Users reuse passwords. Hence, any login cookie from which you can recover the user's password holds significantly more potential for harm than one from which you can not
  • Binding persistent cookies to a particular IP address makes them not particularly persistent in many common cases
  • A user may wish to have persistent cookies on multiple web browsers on different machines simultaneously

The author suggests to associate the username with a large random number, which is a common practice.

tasel
  • 629
  • 5
  • 15
  • hhmmm thanks. The site mentions that `The cookie should consist of the user's username, followed by a separator character, followed by some large random number (128 bits seems mind-bogglingly large enough to be acceptable). The server keeps a table of number->username associations.` . i know my userName that user entered in the text Field(say Basit). So what i understood is that, made a cookie like `Basit-67*98`. Then how can i implement the table i.e.,`server keeps a table of number->username associations`. Means after creating cookie save this name i.e.,`Basit-67*98` in database also? – Basit Jul 26 '12 at 11:08
  • and when user open the website next time and i'll get the cookie then check this cookie value in the database, and if exist then login the user, and then channge the name again, like `Basit-45*23`? Is it? – Basit Jul 26 '12 at 11:10
  • The main point about he number is that it has to be *random*. The larger the numbner the more unlikely it is that somebady may "guess" a valid number given he knows you username. The table could be made of just three columns: username, number and expiration date. When a user enters the site the cookie is transmitted. The username and number are extracted from it (by splitting them at the seperator char). The server looks up if there is an entry for the combination of username and number. If the expiration date is not yet reached, the cookie is considered to be valid -> Server logs the user in – tasel Jul 26 '12 at 14:45
  • Hmm means the flow should be something like, `i have a form, user enter his name and password in the field and check the keep me sign in check box. Click the login button. At that time i have userName and password. If user mark the checkbox then i will create a cookie like `Basit-randomNumber(say 1789* 6542 with java.util.random)`and send this to client, and also save Basit cookie in a database with the column names you mentioned. Next time when user open the site, i check for the cookie, if that cookie present, then confirm it with the database and if it is matched then login the user` Is it? – Basit Jul 27 '12 at 04:57