0

The code below was written to allow the application to remember the user's login details to avoid re-login when opening the login page again. But the functionality cannot be incorporated, the login needs to be done each time 

<%
String userName = request.getParameter("username");
String password = request.getParameter("password");
String rm_me = request.getParameter("rm_me");
String rm_uname = request.getParameter("rm_uname");
if (userName != null && password != null) {
if (rm_me != null) {
Cookie ckU = new Cookie("username", userName);
Cookie ckP = new Cookie("password", password);
response.addCookie(ckP);
} else {
if (rm_uname != null) {
Cookie ckU = new Cookie("username", userName);
}
}
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals("username")) {
userName = cookies[i].getValue();
}
if (cookies[i].getName().equals("password")) {
password = cookies[i].getValue();
}
}
}
%>
Harry Joy
  • 58,650
  • 30
  • 162
  • 207
TEBBY
  • 11
  • 1
  • 2
  • 1
    @feeela I think it's `Why?` like in `The login needs to be retype each time - why?` :) – Martin Hennings Mar 04 '11 at 13:16
  • Storing the username and password as plain-text cookies is bad, even if HTTPS is used. This enables someone with access to the machine to determine the password, even if not the user. Of course, it's not as bad as it would be if it were plain HTTP ... but either way, it's bad. – Jeff Parker Mar 04 '11 at 13:31
  • 1
    Related: http://stackoverflow.com/questions/2185951/java-how-do-i-keep-a-user-logged-into-my-site-for-months – BalusC Mar 04 '11 at 14:27

1 Answers1

1

You never add the Cookie CkU to the response.

Did you displayed the value after reading? BTW try to look on the comments above, they are quite interesting regarding security.

M'vy
  • 5,696
  • 2
  • 30
  • 43