I have a "Remember Me" feature that I've been using in my webapps, and I'm having a hard time figuring out how to make it work (securely) on Tomcat 5. It works fine on Tomcat 4. Let me first explain how it works.
1. I put login.jsp and loginerror.jsp in a "security" folder at the root of my webapp. 2. I add form-based authentication configuration to web.xml - where /security/login.jsp and /security/loginerror.jsp are my form-login-page and form-error-page. 3. I have a LoginServlet that is the "action" of my form in login.jsp. This servlet sets cookies for the user's username, password and a rememberMe flag (if they want to be remembered). It sets the cookies on the request.getContextPath()+"/security/" path. This means that these cookies will only be accessible when this URL is present. 4. I have a LoginFilter that maps to "/security/*" that determines if the user wants to be remembered, and if so, forwards them to the LoginServlet with the "j_username" and "j_password" as part of the URL. This all works great on Tomcat 4.1.x. On Tomcat 5, the form-login-page is presented via a forward, instead of a redirect like Tomcat 4. So I had to add a <dispatcher>FORWARD</dispatcher> to my LoginFilter mapping in order to get the filter to be invoked. This was easy enough. The problem I'm experiencing now is that I can't get access to the rememberMe-related cookies in my Filter because they are set on the path "/myApp/security/" instead of "/". I could move the paths for my cookies to be "/" - but then anyone that logs in has access to those cookies - and if my app allows JavaScript, they could probably write some code to get user's passwords. Anyone know of an easier workaround? Matt --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
