Storing username, pasword using cookies/sessions - Java Servlets

Question

I am trying to create a registration page using servlets. I have created a basic HTML page which has a form with input for username and password. Now what I need to do is store the information submitted to the form using cookies/sessions. Then on the log-in page, a user must be able to login using the information they provided earlier. So basically I need to know how to store the username and password.

So if I were register with the username: admin and password 123, and then register with the username: user and password: 12345, I shouldn't be able to login with admin and 12345 or user and 123. Thanks!!

HTML FORM

   <html>
    <head>
        <title>Registration</title>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
    </head>
    <body bgcolor="lightblue">

    <center>
        <h1></h1>
        <br>

        <hr>
        <br><br>
        <form action="/Registration" method="get">
            <h3> Please register to start </h3>
Username: <input type="text" name="userName">
<br>
Password: <input type="password" name="password">
<br>
<br>
<input type="submit" value="Register">
<br><br>
</form>
    </center>
    </body>
</html>

JAVA SERVLET

protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        processRequest(request, response);

         // Create cookies for first and last names.      
      Cookie userName = new Cookie("userName",
                      request.getParameter("userName"));
      Cookie password = new Cookie("password",
                      request.getParameter("password"));

       // Set expiry date after 24 Hrs for both the cookies.
      userName.setMaxAge(60*60*24); 
      password.setMaxAge(60*60*24); 

      // Add both the cookies in the response header.
      response.addCookie( userName );
      response.addCookie( password );

Answer 1

Cookies are stored on the client side and are sent to the server with each request. It is not good practice to add passwords in cookies because they are easily intercepted and in many cases stick around in the users browser even after they leave the site.

You should be relying on a session, Java EE allows you to create a session with the user where by it will store a session id that is then sent with each request instead. You can store information about that user on the server instead.

Using your code here is how you can create a session.

// get the session, add argument `true` to create a session if one is not yet created.
HttpSession session = request.getSession(true);

session.setAttribute("userName", request.getParameter("userName"));
session.setAttribute("password", request.getParameter("password"));

// to get the username and password
String userName = session.getAttribute("userName");
String password = session.getAttribute("password");

Now of course if you do things this way when you clear your servers cache usernames and passwords will be erased. Also non encrypted passwords in the servers cache certainly has security concerns.

---

Edit:

If 2 people were to use the same computer then no, the code above would not work well. This is because the users credentials are only stored in the session, there is nothing that persists after the session is destroyed or the data in the session is overwritten. Imagine the session is a object that is directly tied to each user. So right now i'm on StackOverflow where somewhere in their code there is a special object just for me and my browser (the session!), in the session object there is something else that says that current logged in user is me. I challenge you to think about how you could store the users credentials outside the session and instead store the currently logged in user inside the session.

To learn more about sessions and how they work there's a great answer here: What are sessions? How do they work? .