Cookie is only available on returned page, not on other pages

Question

I have a simple jsp login page, and I am trying to implement the "remember me2 functionality. The jsp's page code:

 String username = "";
    Cookie[] vec = request.getCookies();
    for(int i=0; vec!=null && i<vec.length; i++)
    {
        if(vec[i].getName().equals("userNameCookie")&&!vec[i].getValue().equals(""))
        {
            username = vec[i].getValue();
        }   
    }

The form parameters are sent to the servlet controller, the controller creates the cookie and adds it to the response, and after that the controller forwards the request to the other page.

My issue is that after coming back to the login page the cookie that the controller adds to the response does not exist. In fact, the cookie exists in the page the controller forwarded the request to.

Here's the controller's code:

String username = request.getParameter("username");
            String password = request.getParameter("password");
            Cookie cookie = new Cookie("userNameCookie", username);
            cookie.setMaxAge(7 * 24 * 60 * 60);
            response.addCookie(cookie);
getServletConfig().getServletContext().getRequestDispatcher("/WEB-INF/products.jsp").forward(request, response);

What am I doing wrong?

Thanks!

Related: http://stackoverflow.com/questions/2185951/java-how-do-i-keep-a-user-logged-into-my-site-for-months/2186072#2186072 and http://stackoverflow.com/questions/5082846/java-ee-6-how-to-implement-stay-logged-in-when-user-login-in-to-the-web-appli/5083809#5083809 — BalusC, Jan 06 '13 at 16:06

score 2 · Answer 1 · answered Jan 06 '13 at 15:16

You must probably specify a path for your cookie. IIRC, if you don't specify one, the cookie is only valid for the URL the cookie comes from.

Also, your remember-me cookie is really insecure. Any user could authenticate himself as someone else by simply sending a cookie with the other user's name. You should make the cookie random and very hard to guess, and associate each random cookie with the user it has been generated for, in the database.

score 0 · Answer 2 · answered Jan 06 '13 at 15:31

0

At the first time of user send a request msg, the cookie you created in servlet has stored in response object, not in request object in jsp. You cant get the cookie from request object in your jsp which servlet forward to. Because the web container handle the forward before the send reponse msg to client agent. The client just store the cookie when it received reponse msg.

if the client resend the request, maybe it will done.

answered Jan 06 '13 at 15:31

Bo6Bear

57
2

thanks for the answer. in that case what should i do to get the cookie in the login page? – c.o Jan 07 '13 at 05:45
The easiest way to make this work done is that modify request.forward to reponse.sendRedirect(yourJsp). Cause, it will make the client agent resend a request to your redirected page(your jsp) with the cookie you added automatically. – Bo6Bear Jan 07 '13 at 12:49

Cookie is only available on returned page, not on other pages

2 Answers2