Java Reference
In-Depth Information
} else {
boolean validated =
loginService.isUserValid(username, password);
if (validated) {
Cookie loginCookie = new Cookie("rememberme", username +
";" + new String(password));
response.addCookie(loginCookie);
// ... forward to welcome page
} else {
// Set error and return
}
}
} else {
// No remember-me functionality selected
// Proceed with regular authentication;
// if it fails set error and return
}
Arrays.fill(password, ' ');
}
However,theattempttoimplement theremember-mefunctionality isinsecurebecause
an attacker with access to the client machine can obtain this information directly on the
client. This code also violates Guideline 13 , “ Store passwords using a hash function .
Compliant Solution (Session)
This compliant solution implements the remember-me functionality by storing the user
name and a secure random string in the cookie. It also maintains state in the session using
HttpSession :
Click here to view code image
protected void doPost(HttpServletRequest request,
HttpServletResponse response) {
// Validate input (omitted)
String username = request.getParameter("username");
char[] password =
request.getParameter("password").toCharArray();
boolean rememberMe =
Boolean.valueOf(request.getParameter("rememberme"));
LoginService loginService = new LoginServiceImpl();
Previous Page
Next Page
Java Coding Guidelines
Search WWH ::




Custom Search
Home