hi all,
I was wondering what the most secure way to log people in was, without
using SSL. I've taken a look at both the java.net package, and the
java.security package. They both seem to have some of the functionality that
I would like, but they dont seem that practical to me. My main goals are: 1)
authenticate an initial login 2) track the user using sessions. 3) reduce
overhead by not authenticating on every page reload, so as to not have to
keep reconnecting to my SQL DB, and check the users validity.
Here is the (slightly over-complicated) code I am using now). What security
issues does this present, and how can they be solved. Optimization and other
functions I could use would also be greatly appreciated.
Connection con;
String Username = "";
String Password = "";
PrintWriter out = res.getWriter();
HttpSession session;
if (req.getSession(false) == null) { // login attempt
Username = req.getParameter("username");
Password = req.getParameter("password");
session = req.getSession(true);
session.putValue("Username", Username);
session.putValue("Password", Password);
}
else { //already logged in, use sessions
session = req.getSession(false);
Username = (String) session.getValue("Username");
Password = (String) session.getValue("Password");
}
if (req.getParameter("username") != null) { // a new login attempt
before logout
try {
con.close();
}
catch(Exception e) {
System.out.println("Database close failed");
System.out.println(e.toString());
}
con = null;
out.println("resetting");
Username = req.getParameter("username");
Password = req.getParameter("password");
}
Thank-you,
Doug
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
