1. The Form Based AuthenticationHandler would take care of sending (and receiving) the auth cookie automatically after your authentication credentials have been confirmed as valid.
2. This should happen automatically as well if you are using the Form Based AuthenticationHandler. If you are creating a custom authentication handler, you could get the cookie that you had previously set from the http request that was sent from the browser. See: http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getCookies() Regards, Eric On Fri, Mar 29, 2013 at 1:12 PM, Matthew Taylor <[email protected]> wrote: > Hello! > > I have been using Apache Sling for a little while now, but am only just > starting to familiarize myself with, and implement, user authentication > within Sling. I am also new to user auth and user management in general. > > I am building a web interface, and want to include standard form-based > authentication for the users (i.e. username and password). I have begun to > explore Sling's form-based AuthenticationHandler, and have a couple of > questions: > > 1. When a user's session is deemed valid by requestCredentials, does Sling > store the secure token - mentioned on the AuthenticationHandler's web page > - in the user's cookies automatically, as a signature of the user's valid > session? Or is that something that I would have to implement explicitly > myself? > 2. If Sling stores the secure token without any intervention on my part, > what is the best way to retrieve it during extractCredentials to check for > a valid session? Since I'm new to web auth, I still am not entirely clear > on a cookie's structure, or an HTTP session's structure, if that is where > it is stored. > > Any answers/advice would be greatly appreciated! > > Warmly, > Matt Taylor > > -- > Email: [email protected] >
