i have login page, , want add "remember me" feature; if user logs out , opens page again, username , password loaded. this, when user logs in (and "remember me" checked") save following cookies:
facescontext facescontext = facescontext.getcurrentinstance(); cookie usercookie = new cookie("vtusername", username); usercookie.setmaxage(3600); ((httpservletresponse) facescontext.getexternalcontext() .getresponse()).addcookie(usercookie); cookie passcokie = new cookie("vtpassword", password); passcokie.setmaxage(3600); ((httpservletresponse) facescontext.getexternalcontext() .getresponse()).addcookie(passcokie); the problem later (in same session) read cookies , see maxage = -1; though i'm setting 3600... why that? issue: if set cookie secure usercookie.setsecure(true) can't read (it dissapears).
another question: since password being stored in cookie, should encrypt how? best practice?
thanks in advance
the problem later (in same session) read cookies , see maxage = -1; though i'm setting 3600... why that?
because browser doesn't send maxage back. sends cookie name=value back. maxage stored in browser. can check in cookie viewer/editor of webbrowser itself. in firefox example, can check cookies tools > options > privacy > remove individual cookies. enter domain (e.g. localhost) see cookies.
another issue: if set cookie secure usercookie.setsecure(true) can't read (it dissapears).
it works when request/response served on https instead of http. also, when request served on https, default secure=true.
another question: since password being stored in cookie, should encrypt how? best practice?
do not store raw name/password in 2 cookies. apart can go in single cookie, bad idea , hackable. use single cookie autogenerated long, unique , impossible-to-guess value. store value along user id in database in server side. when visits site cookie, user not logged in yet (i.e. there's no user object in session), can automatic login.
see also:
Comments
Post a Comment