Using Cookies to Store Login

Many sites now use a permanent cookie to allow the customer to access the site without needing to log in. This has its good and bad points. The good side is that it reduces the barrier to entry that could discourage a customer from using your site. The bad side is that it potentially allows a hacker to gain unauthorized access to a user's account by either faking the cookie or gaining access to the user 's PC. There's not much that you can do about the latter, but you can prevent the former from happening by taking a few basic precautions :

• Don't store just the username; store both the username and the password. That way, the hacker can't create the cookie by just knowing the username (in this case, the e-mail address) of the customer.

• Don't store the data in plain text in the cookie. Otherwise, it becomes too easy for someone gaining access to the computer to know what the information is simply by accessing the cookies file.

Look at how to implement automatic login using cookies on your site. To start, you will need to add some JSP to the login page to send a cookie back to the browser (see Listing 8.16).

Listing 8.16 Login.jsp Revised

 <%@ page import="com.bfg.customer.Customer" %> <%@ page import="javax.servlet.http.Cookie" %> <%@ page import="sun.misc.BASE64Encoder" %> <jsp:useBean id="customer" class="com.bfg.customer.Customer" scope="session"/> <% String error = null; if (request.getParameter("SUBMITTED") != null) {     Customer c = Customer.findCustomer(request.getParameter("email"));     if (c == null) {       error = "No such e-Mail found, please try again.";     } else {      if (request.getParameter("password").equals(c.getPassword())) {          customer = c;          BASE64Encoder enc = new BASE64Encoder();          Cookie cook = new Cookie("bfgUsername",                                    enc.encode(c.getEmail().getBytes()));          cook.setMaxAge(3600*24*365);          response.addCookie(cook);          cook = new Cookie("bfgPassword",                                    enc.encode(c.getPassword().getBytes()));          cook.setMaxAge(3600*24*365);          response.addCookie(cook);          response.sendRedirect("LoggedIn.jsp");      } else {      error = "Invalid Password";      }     } } %> <HEAD><TITLE>Please Log In</TITLE></HEAD><BODY> <FORM METHOD=POST ACTION="Login.jsp"> <INPUT TYPE="HIDDEN" NAME="SUBMITTED" VALUE="T"> <% if (error != null) { %> <FONT COLOR="#FF0000"><%= error %></FONT><BR> <% } %> e-Mail Address: <INPUT NAME="email" TYPE="TEXT" SIZE=50><BR> Password: <INPUT NAME="password" TYPE="TEXT" SIZE=50><BR> <INPUT TYPE=SUBMIT> </FORM> </BODY> 

Yes, this is yet another form that submits to itself. When the user submits a username and password, the page looks up the customer to see if the e-mail address exists. If it does exist and the password matches the password in the database, two cookies are generated: one for the username and one for the password. The page encodes the data using Base64 encoding for two reasons. One reason is to provide some minimum protection of the data; the other reason is that certain symbols, such as "@," aren't legal in early implementations of cookies. Note that Base64 encoding is in no way a secure protocol for encryption. If you really want to protect the data, a secure method such as Pretty Good Encryption (PGP) or the government's Data Encryption Standard (DES) should be used.

Now that the user can log in, you need to write a JSP snippet to use throughout the site that checks for the cookie and logs in the user automatically if the cookie is available (see Listing 8.17).

Listing 8.17 AutoLogin.jsp

 <%@ page import="com.bfg.customer.Customer" %> <%@ page import="javax.servlet.http.Cookie" %> <%@ page import="sun.misc.BASE64Decoder" %> <jsp:useBean id="customer" class="com.bfg.customer.Customer" scope="session"/> <% String email = null; String password = null; Cookie cook; if (customer.getEmail() == null) {     Cookie[] cookies = request.getCookies();     BASE64Decoder dec = new BASE64Decoder();     for (int i = 0; i < cookies.length; i++) {      if (cookies[i].getName().equals("bfgUsername")) {          email = new String(dec.decodeBuffer(cookies[i].getValue()));      }      if (cookies[i].getName().equals("bfgPassword")) {          password = new String(dec.decodeBuffer(cookies[i].getValue()));      }     }     if ((email != null) && (password != null)) {       Customer c = Customer.findCustomer(email);       if ((c != null) && (c.getPassword().equals(password))) {           pageContext.setAttribute("customer",c, PageContext.SESSION_SCOPE);       }     } } %> 

First you put in a check to see if the user already is logged in (if the session-scoped property customer has a non-null e-mail address). If the user isn't already logged in, you need to have the code run through all the request cookies looking for the username and password cookies and then decoding the cookies if they're found.

If a cookie is found, and if a user with that username and password exists, you can have the code set the session-scoped customer property to the customer that was just found. This means that the next time this code is run, it won't try to log in the user. Otherwise, the user will need to log in manually (or not at all, as the site permits ).