This means that every request is a new request to a server. Although there are advantages of being stateless, some occasions enforce to maintain a state in order to its proper functionality. For example, consider a user logging into a website. After authentication, the website needs to maintain a logged state for the user in order to execute his actions. A web server can easily achieve this by using Cookies.
A Cookie is a small piece of data that is exchanged between a server and a client. Whenever a client sends a request, the server will send a cookie containing the required data and the client can send back the cookie with its next request.
In this tutorial, I will explain how to create a simple login interface that will maintain a login session. Please refer this if you are not familiar with them Step 1: Create a maven project in intelliJ idea Step 2: Add the required dependencies to the pom.
After that, your pom. Create the login page 3. This will be the landing page for our application. When the user enters his username and password, a post request containing those parameters is send to our LoginServlet. Inside the LoginServlet, we are comparing the received credentials with a set of stored credentials in the servlet. If they both match, the user can be successfully authenticated.
Be sure to invalidate the session that existed before authenticating the user and create a new session after authenticating. If we want to expire the session after some period and prompt user to log in again, we can use setMaxInactiveInterval.
We can also add new cookies to the session. After all this, we can redirect the user to Login Success page. In this step, we are not specifying which parameter is wrong due to security reasons.
We can also achieve this by using a deployment descriptor web. Once the user gets redirected to this LoginSuccess. Since there are multiple cookies, we have iterated through the cookies array and extracted the required cookie values.
Here we display the cookie values on the Login Success page. This page contains the logout link that will send the logout request to the LogoutServlet. In here we are invalidating the authenticated session and redirect the user to the login page.
Now, build the war file and deploy! After login, you will be redirected to LoginSuccess. However, you will notice that even after the logout, we can still browse to the LoginSuccess. It will still show a success login. So, the above authentication process is useless? This is where Servlet Filters come in to play If you are not familiar with servlet filters, read my blog on How to use Servlet Filters.
In order to make this filter active, we need to define the filter and the required filter mapping in the web. If the session exists, the request is passed to the next filter in the filter chain. This will prevent unauthorized users accessing LoginSuccess page while allowing logged users to access. Now you can try to browse to the LoginSuccess. You will see that it gets automatically redirected to the loginPage.