Re: stay logged in/session expiration time

Mon, 10 Sep 2007 12:46:18 -0700 

Thank you John, that's exactly what I was looking for!

John Ray wrote:

I think what you are looking for are the following steps

1) When a user first comes to the site check if they have a cookie from a
prior visit and automatically log them in.
2) If they don't have a cookie then redirect them to the login page
3) As they log in set a cookie on their browser so the next time they visit
they will be automatically logged in during step 1 above. The cookie will
need to contain the the user name and password to authenticate them. It
would probably be best for added security to do a one way hash (such as SHA)
on the password though and not store the actually password in the cookie. 
To do steps 1 and 2 you need your own AuthorizationStrategy for your
application. Look at the wicket example to do this

    http://wicketstuff.org/wicket13/signin/

Don't forget there is a link to view the source code in the top right of the
page. You need to modify the AuthorizationStrategy to something like this

public class MyAuthorizationStrategy implements IAuthorizationStrategy {

  public boolean isInstantiationAuthorized(Class componentClass) {
    if (AuthenticatedWebPage.class.isAssignableFrom(componentClass)) {
      // Is user signed in?
      if (((SignInSession)Session.get()).isSignedIn()) {
        // okay to proceed
        return true;
    }

    // Look at cookies to determine if the user should be logged in
automatically
    Cookie[] cookies = ((WebRequest)
RequestCycle.get().getRequest()).getCookies();
    ... iterate through each cookie for our magic login cookie
    ... If a cookie is found then log the user in

    // Redirect user to login page if there was no cookie
    throw new RestartResponseAtInterceptPageException(SignIn.class);
  }

  ...
}

For step 3 you'll need to modify the onSubmit() method in the login page so
that it sets a cookie on the browser when the user is logged in. 
  Cookie loginCookie = new Cookie(...);
  ... Also set the cookie MaxAge so that the browser will remeber it even if
the browser is closed
  getWebRequestCycle().getWebResponse().addCookie(loginCookie);

The Cookies are just standard J2EE cookies from the servlet API so look at
the J2EE docs for more info on them.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to