Servlet Login session time and authentication using Filter

Hello there,

I have this Servlet class which I am using for login,can somebody have a look at my code and give their recommendation if I have implemented it properly or I have missed some important thing in it.

cheers
Zolf
LoginServlet-.java
zolfAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpearsonCommented:
Couple of things look a bit odd to me:

1)
String desc = ls.get("description").toString();
String desc1 = HashUtils.sha(ls.get("name").toString());

if (n.equals(ls.get("name")) && p.equals(ls.get("password")) && desc.equals(desc1))

Not sure what you're hoping to achieve with the desc.equals(desc1) check?
You seem to be comparing the sha(name) to the description stored in the database.
If these don't match it seems the names won't match.

2) By the end of the servlet where you say:

// Credential are correct!!
            if (authenticUser)
...

You've identified that this request came from somebody who has a valid session.
However, that user is NOT necessarily the same as the user name that was passed in here:
String n = request.getParameter("user_name");

(I sign in as username "abc", get a valid session and then send in a request as user "xyz" with my now valid session and the login servlet says this is valid).

You should probably check that the user name sent matches the current session.

Doug
zolfAuthor Commented:
Thanks for your comments.

Regarding point 2, can you please write the code for me as to how to validate the session for that user.

Also in this code, in the if/else loop where i check newLoginRequest, do I need to have the redirect code in its else loop also or not needed!!
if (authenticUser)
		{
			System.out.println("Credential are correct!!!!!!!!!!!!");
			if (newLoginRequest)
			{
				session.setAttribute("sessionId", request.getSession().getId());
				response.sendRedirect(ConfigUtils.getInstance().getLandingPageURL());
			}
			else
			{
				System.out.println("NEW Login Request is FALSEEEE!!!!!!!!!!!!");
			}
		}
		else
		{
			request.getSession().invalidate();
			response.sendRedirect(ConfigUtils.getInstance().getLoginURL());
		}

Open in new window

dpearsonCommented:
When you store the session id:
session.setAttribute("sessionId", request.getSession().getId());

You could also store the user name:
session.setAttribute("username", n);

and then change this test:

if (session != null && session.getAttribute("sessionId") != null)

to also compare session.getAttribute("username").equals(n)

Also as to when and where you need to redirect, that's a larger design question - depends on how this servlet fits into the whole system.

Doug

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

zolfAuthor Commented:
thanks a lot for your feedbacks. Do you know any site where it has tutorial code for session and authentication.
dpearsonCommented:
I don't know of that specifically but you might find this helpful to read:
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html

Doug
zolfAuthor Commented:
cheers!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java EE

From novice to tech pro — start learning today.