Automatic JSP Login

1. What is automatic user login? If our website provides some specialized services to registered users, such as online shopping, online download, and paid browsing, users are required to enter the logon page before using these services, enter the user name and password for verification. If a user accesses our website frequently, if he or she accesses the website once or several times every day, he or she will be bored by repeating these logon operations every time. Through some simple technical means, we can make the website "remember" those users who have logged on. When the user comes back next time, the website can identify the user and automatically complete the login process for the user. Ii. Basic Ideas As website writers, we have no idea who is sitting in front of the computer. We can know which computer is accessing the website-this can be achieved through cookies. Therefore, user recognition is actually the recognition of the client computer.   Simply put, when a user logs on to the website for the first time, the website sends a cookie containing the user name to the client. When a user accesses the cookie again at a later time, the browser will send the cookie back to the website server. Therefore, we can read the user name from the cookie and then call the logon method, to automatically log on to the user. 3. prevent spoofing Cookie is just a common text file, where the character strings can be opened and edited directly in notepad. Therefore, anyone on any computer can forge a cookie containing the user name of another person to impersonate another person's identity. To solve this problem, we need to add a piece of information to the cookie. This information must have the following features: 1. One-to-one correspondence with the user; 2. It is difficult to create a false one. Together with the user name, the content is sent to the user's browser in the form of a cookie. In addition, the server must be able to remember this content so that the user can check it again. In theory, you can use this user's password. The password has the preceding two features. However, because the cookie itself is not encrypted, the password stored in it (should be encrypted) can be seen by anyone, so this method is extremely insecure. Another information that can be exploited is the session ID during user access. The session ID is a random, irregular, long string generated by the system, so it is difficult to forge. To match the table with the user, we need to add a table to the database. The table has at least two fields: User Name and session ID. When a user logs on for the first time, the current session ID and user name are sent to the user using cookies respectively, and these two items are inserted into the database as a record. In this way, when the user accesses the server again, the server can read the two cookies sent from the client and compare them with the records in the database. If the corresponding records are found in the database, it indicates that this computer is indeed the computer used by the user for the last login, and thus can automatically log on to the user. IV. Implementation 1. Add a check box on the logon page to allow the user to choose whether to enable automatic login within a certain period of time, for example, two weeks. Code: <Input type = "checkbox" name = "autologin"> Automatic Login within two weeks 2. Check whether the check box is selected in the servlet that processes the logon process. If yes, perform these two operations: Send two cookies to the user and write a corresponding record to the database. Code: Cookie ckusername, cksessionid; If (autologin. Equals ("On ")){ // If you select "Automatic Login within two weeks", send two cookies to the user. // One cookie records the user name and the other records the unique verification code, // Write the verification code to the database for query when the user returns the code. (Prevent cookie forgery) Ckusername = new cookie ("autologinuser", user. GetUserName (); // user is the bean representing the user Ckusername. setmaxage (60*60*24*14); // set the cookie validity period to 14 days. Res. addcookie (ckusername ); Sessionid = session. GETID (); // gets the current session ID Cksessionid = new cookie ("sessionid", sessionid ); Cksessionid. setmaxage (60*60*24*14 ); Res. addcookie (cksessionid ); // Insert corresponding records into the database Usersessiondao. insertusersession (user, sessionid ); } 3. Automatic logon. This is because the next visit may directly access any page of the website (such as through favorites), not necessarily the homepage or login page, therefore, we need to use filters to intercept all requests arriving at the website and perform automatic logon. Public void dofilter (servletrequest req, servletresponse resp, filterchain chain) throws servletexception, ioexception { Httpservletrequest request = (httpservletrequest) req; Httpsession session = request. getsession (true ); String username; String sessionid; // This sessionid is the identifier stored on the user end during the last user logon. It is used for automatic logon for subsequent user access. It is not the session ID of this access. Cookie [] cookies; Cookiemanager CM = new cookiemanager (); // cookiemanager is a custom class used to find and return the cookie value of the specified name from the cookie array. Boolean isautologin; // If there is no user object in the session, create one. User user = (User) Session. getattribute ("user "); If (user = NULL ){ User = new user (); // The username attribute in the user is "", indicating that the user has not logged on. } // If the username of the user object is "", the user is not logged on. The automatic logon process is executed. // Otherwise, logons are not automatically performed. If (user. GetUserName (). Equals ("")){ // Check whether the user's browser has sent the user name and sessionid of the last logon, // If yes, the user will log on automatically. Cookies = request. getcookies (); Username = cm. getcookievalue (cookies, "autologinuser "); Sessionid = cm. getcookievalue (cookies, "sessionid "); Isautologin = usersessiondao. getautologinstate (username, sessionid); // if the corresponding records are found in the database, it means that you can log on automatically. If (isautologin ){ User. setusername (username ); User. setnickname (dbutil. getnickname (username )); Session. setattribute ("user", user); // Add the user bean to the session. } } Chain. dofilter (req, resp ); } 4. log out. Only when a user leaves the website without cancellation during his or her last visit can he or she log on automatically at the next visit. If the user explicitly performs the logout operation, it means that the user does not want us to remember him. We need to delete the corresponding records from the database in the servlet that executes the logout operation. In this way, automatic logon will not be performed during the next user access. 5. Improvement For convenience, you may modify the Cookie's validity period to achieve long-term automatic login. This is not safe for websites with sensitive information. When a user does not use his or her computer for a long time, or the computer is abandoned or transferred, the cookie stored in it is still valid, which brings potential risks to users and websites. To solve this problem, we can add a field in the database to record the expiration day of automatic logon. In this way, whether to perform automatic logon is no longer subject to the cookie validity period of the client, but the information in the server database. When we want to adjust the validity period of automatic user logon, we only need to modify the corresponding date field in the database, so this process becomes more secure.