I can't think of a resource that would cover all the issues (there's certainly a lot to consider, especially security), but I do have a couple pieces of advice:
Since your users will register themselves, you might want to consider implementing an email verification system. When the user registers, send an email to the address she provides with a link back to the site. If the user doesn't verify the address within a certain amount of time, just delete the information from the database. That way you can ensure that people won't come to the site and create bogus accounts. I would also recommend implementing a password retrieval system. You can either email the password to the user or implement a secret question and answer. If you don't do this, you or your client will be spending a lot of time fielding calls and emails from users who forgot their password. -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Haseltine, Celeste Sent: Thursday, January 10, 2002 11:46 AM To: [EMAIL PROTECTED] Subject: Designing a secure login using JSP's for a public internet site Does anyone have any good references regarding developing a public internet login system that would allow a user to assign his/her own login name and password/pin. I've spent all of my Java/JSP career doing internal intranet web sites for companies looking to disseminate information to their employee's, and/or internally within their own organizations. Therefore, I have never really had to focus on the security issues surrounding a public internet site, and the issues surrounding new users to create their own user id's and passwords. The server will be Windows 2000, using IIS 5.0 and JRUN 3.1 configured together to handle html and jsp pages. If anyone has any good references or advice regarding what to do/what not to do while developing a public internet site, I would be grateful. The gentleman I am doing this site for was hit hard by the events of Sept 11, and since he cannot afford to bring someone else on board who has this type of experience, he has asked me to do what I can for him. This will be a "prototype" site that he will use to try and lure new prospective customers to his business. Any advice or lessons learned regarding the development of this type web product, and the security issues surrounding a public web site and user login/password creation, would also be appreciated. My thanks in advance for all advice/suggestions/references. Celeste Haseltine, PE MTL =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
