I implemented "Remember me" functionality in my web app. I did this using a cookie that contains username/password encrypted using RSA.
I add the cookie when I login; if then I logout (without closing browser) the cookie is read ok and in the login page I see username/pass already typed.
But if I close the browser; or close tab and run the application again, when the cookies are read, the only cookie that is read is the JSESSIONID. the cookie with the credentials is not in the array returned by
((HttpServletRequest)facesContext.getExternalContext().getRequest()).getCookies();
even though I can see it in the browser. why is that?
This is the code that creates the cookie:
String credentials = username + "?" + password;
Cookie c = CookieHandler.getInstance().createCookie("vtcred", credentials, rememberMe);
FacesContext facesContext = FacesContext.getCurrentInstance();
((HttpServletResponse) facesContext.getExternalContext().getResponse()).addCookie(c);
and method createCookie:
public Cookie createCookie(String name, String value, boolean rememberMe) {
value = encript(value);
Cookie credCookie = new Cookie(name, value);
credCookie.setHttpOnly(true);
if(rememberMe) {
credCookie.setMaxAge(86400);
}
else {
credCookie.setMaxAge(0);
}
return credCookie;
}
Edit: I am setting the cookie's max age to one day; and in the browser I can see that the cookie expires tomorrow, so that's not the problem
Thanks in advance,
Damian
edit2: this is very odd, but it seems to be working now. I'll keep testing it and notify. Thanks.
I found why sometimes a cookie is not read. It has to do with the path attribute.
If anyone is having this issue, set the path of the cookie, like this:
Cookie c = new Cookie("name", "value");
cookie.setMaxAge(86400);
cookie.setPath("/");
Regards
You might want to set the cookie with an expiration date. If you dont , it will only last as long as the browser session.
Related
We have a portlet based application that retrieves a certain cookie for validation and then sends off an action request afterwards.
However, we're seeing an issue where the HttpServletRequest is returning a null list of cookies - even though I can 100% confirm there are cookies. In fact, sometimes the code DOES work and shows the cookies (although this is pretty rare).
We've noticed that IE appears to work more frequently than FF and Chrome, but again, there's no consistency or pattern really to determine what causes it to function.
The Request is always obtained - there's never an issue here of a null pointer. The only issue at this moment is that the cookie list is empty.
Method in static class that returns HttpServletRequest
FacesContext context = FacesContext.getCurrentInstance();
Map<String, Object> requests = context.getExternalContext().getRequestMap();
for (String requestName : requests.keySet()) {
if (requests.get(requestName) instanceof HttpServletRequest) {
return ((HttpServletRequest) requests.get(requestName));
}
}
return null;
Call from the other class to the static method above:
Cookie[] cookies = StaticClass.getHttpRequest().getCookies();
System.out.println("Cookies = " + cookies);
The HttpServletRequest method getCookies() should return an array of cookies the client sent in on the request. If the array returned is null, it means that the request the client sent in contains no cookies. Did you call addCookie(yourCookie) method within the same domain or subdomain (I ask as you cannot access cookies across different domains)?
ie:
Cookie yourCookie = new Cookie(name, value);
response.addCookie(yourCookie);
If the cookie was not added to a previous response, it will not be on the request.
Some other clues:
Check your Cookie's max age. Cookie may be expired.
Check the domain of the cookie and the domain of the request URL. If you are not sure, post them here for help.
In general if you can capture the http request message and post it here it will also be helpful.
Update: in firefox you can right click a page, and select 'view page info', then select the 'security' tab, click the 'view cookies' button to view all the cookies. You can also change the domain name in the popup window to see the cookies under other domain.
I have a simple jsp login page, and I am trying to implement the "remember me2 functionality.
The jsp's page code:
String username = "";
Cookie[] vec = request.getCookies();
for(int i=0; vec!=null && i<vec.length; i++)
{
if(vec[i].getName().equals("userNameCookie")&&!vec[i].getValue().equals(""))
{
username = vec[i].getValue();
}
}
The form parameters are sent to the servlet controller, the controller creates the cookie and adds it to the response, and after that the controller forwards the request to the other page.
My issue is that after coming back to the login page the cookie that the controller adds to the response does not exist. In fact, the cookie exists in the page the controller forwarded the request to.
Here's the controller's code:
String username = request.getParameter("username");
String password = request.getParameter("password");
Cookie cookie = new Cookie("userNameCookie", username);
cookie.setMaxAge(7 * 24 * 60 * 60);
response.addCookie(cookie);
getServletConfig().getServletContext().getRequestDispatcher("/WEB-INF/products.jsp").forward(request, response);
What am I doing wrong?
Thanks!
You must probably specify a path for your cookie. IIRC, if you don't specify one, the cookie is only valid for the URL the cookie comes from.
Also, your remember-me cookie is really insecure. Any user could authenticate himself as someone else by simply sending a cookie with the other user's name. You should make the cookie random and very hard to guess, and associate each random cookie with the user it has been generated for, in the database.
At the first time of user send a request msg, the cookie you created in servlet has stored in response object, not in request object in jsp. You cant get the cookie from request object in your jsp which servlet forward to. Because the web container handle the forward before the send reponse msg to client agent. The client just store the cookie when it received reponse msg.
if the client resend the request, maybe it will done.
This my code for setting new cookie
Cookie citizen = new Cookie("citizen",email);
citizen.setMaxAge(3600);
response.addCookie(citizen);
now i'm using this code for destroying the cookie
Cookie[] cookies = request.getCookies();
for(int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals("citizen")) {
cookies[i].setMaxAge(0);
response.addCookie(cookies[i]);
}
}
But, i'm still getting cookie value. Help will be appreciated !!
below link might help you..
How can delete information from cookies?
Good Luck!!!
Let me know incase of any further queries...
I was having a problem similar to this, where the cookie retained the value even after setting max age to 0 and the value to "".
I used firefox to look at the cookie attributes to help debug. When logging in, the servlet called my cookie class to set the cookie, and the cookie path was "/javawork/". When logging out, the JSP page called the same cookie class to "delete" the cookie by setting the max age to 0. But the JSP page was in a sub folder in the web app, so the when I created a cookie of the same name with max age of 0, it created a new cookie with the path "/javawork/test_login/".
So that "new" cookie immediately expired, but the original one still existed. In my delete cookie function I needed to set the path of the "new" cookie to be "/javawork/", and when I set the max age to 0 and added it, it updated the original cookie and let me properly log out.
I hope that helps.
The option correct will be
Cookie cookie = new Cookie("citizen", "citizen");
cookie.setMaxAge(0);
cookie.setValue("");
response.addCookie(cookie);
if you try to get the cookie from request for next add it to response with setMaxAge(0), you could see that the cookie doesn't been removed.
Try to add this line:
cookies[i].setMaxAge(0);
//add this line
cookies[i].setPath("/");
response.addCookie(cookies[i]);
This works for me -
Cookie UIDCookie = new Cookie(COOKIE_KEY, "");
UIDCookie.setMaxAge(0);
UIDCookie.setPath("/");
response.addCookie(qptUIDCookie);
We can delete a cookie by setting max age as zero.
For example:
Cookie[] cookies = request.getCookies();
cookies[0].setMaxAge(0);
response.addCookie(cookies[0]);
Here we delete only the first cookie
I am having a problem of setting the data of a (persistent/cross browser session) cookie correctly inside a Servlet and the reading it in a Filter.
the code of the Servlet (running at log-in time) is:
String encodedValue = new String(Base64
.encodeBase64(req.getParameter("account").getBytes()));
Cookie cookie = new Cookie("projectAuthenticationCookie", encodedValue );
cookie.setMaxAge(24*60*60);
cookie.setPath("/");
res.addCookie(cookie);
This will get the cookie inside the response, but the when I read it within my filter with the following code:
Cookie authenticationCookie = null;
Cookie[] cookies = ((HttpServletRequest) request).getCookies();
for (Cookie cookie : cookies){
if ("projectAuthenticationCookie".equals(cookie.getName())) {
authenticationCookie = cookie;
}
}
I only get the value I set right, all other fields are either null, empty or different. Max age for example always returns -1 and thus the cookie will never persist.
I tried setting the expires-header with:
res.setDateHeader("Expires", System.currentTimeMillis() + 24*60*60*1000);
as I read that without a valid expires-header the session will timeout anyway (correct me if I am wrong), but that didn't help either...
One issue I am thinking of is that I am running on localhost (tried setting cookie.setDomain("localhost") but also no luck). My web server/serclet container is Jetty 7 but I do not think that this is relevant...
Any hints?
The fields other than name and value are not populated (and thus not meaningful) on cookies you get from a request.
These fields are intended to inform the browser about the max age; path, etc. of the cookie, but the browser doesn't send back this information to the server. The only time where it's important to have the correct max age, path, etc. is when you create a cookie and add it to the response. Use your browser to check if it stores the correct information instead of trying to find it at server-side.
When I retrieve the cookies in my java servlet, all of the values from getPath() are null.
So if a cookie with the same name is set in directory /foo, and at the root directory, I retrieve two cookies with the same exact name, but I can't differentiate them because getPath() returns null for both.
I looked in firebug and saw that firefox was not sending anything for the path.
My application uses a "rememberme" cookie with the path set to "/". Everything works fine as long as there is only one cookie with name rememberme. But if somehow another cookie gets set with the same name on a different path like /foo, then my application won't know which one is the one I set for the root.
How can I differentiate the cookies? Do I need to worry about a cookie existing with the same name in a subdir, or can I just assume there will be only the one I set?
If the browser doesn't send a path, you should set the path to "/" in your Cookie handler.
Your server sets the cookies, not the web browser, so if you set all the paths for the cookies that you create to "/" for the same domain, you don't have to worry about it.
I'm not sure how much this will help you but I recently wrote this method to retrieve cookies from a URLConnection object and return them as a string:
public String getCookies(URLConnection connection) {
String headerName = null;
String cookie = "";
for (int i=1; (headerName = connection.getHeaderFieldKey(i))!=null; i++) {
if (headerName.equals("Set-Cookie")) {
if (cookie.equals("")) {
cookie = connection.getHeaderField(i);
}
else {
cookie = cookie + "; " + connection.getHeaderField(i);
}
}
}
writeToCookiesFile(cookie);
return cookie;
}
This method was being used in just a plain application though :) Hope it's of some benefit!
The browser will send cookies defined for path /foo only when the path of the url starts with /foo. If a cookie with the same name is set on both / and /foo, there is no way to distinguish them.