使用 cookie/sessions 存储用户名、密码 - Java Servlets
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26206953/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Storing username, pasword using cookies/sessions - Java Servlets
提问by newbdeveloper
I am trying to create a registration page using servlets. I have created a basic HTML page which has a form with input for username and password. Now what I need to do is store the information submitted to the form using cookies/sessions. Then on the log-in page, a user must be able to login using the information they provided earlier. So basically I need to know how to store the username and password.
我正在尝试使用 servlet 创建一个注册页面。我创建了一个基本的 HTML 页面,它有一个包含用户名和密码输入的表单。现在我需要做的是使用 cookie/sessions 存储提交给表单的信息。然后在登录页面上,用户必须能够使用他们之前提供的信息登录。所以基本上我需要知道如何存储用户名和密码。
So if I were register with the username: admin and password 123, and then register with the username: user and password: 12345, I shouldn't be able to login with admin and 12345 or user and 123. Thanks!!
因此,如果我使用用户名:admin 和密码 123 注册,然后使用用户名:user 和密码:12345 注册,我应该无法使用 admin 和 12345 或 user 和 123 登录。谢谢!
HTML FORM
HTML 表单
<html>
<head>
<title>Registration</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body bgcolor="lightblue">
<center>
<h1></h1>
<br>
<hr>
<br><br>
<form action="/Registration" method="get">
<h3> Please register to start </h3>
Username: <input type="text" name="userName">
<br>
Password: <input type="password" name="password">
<br>
<br>
<input type="submit" value="Register">
<br><br>
</form>
</center>
</body>
</html>
JAVA SERVLET
JAVA SERVLET
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
// Create cookies for first and last names.
Cookie userName = new Cookie("userName",
request.getParameter("userName"));
Cookie password = new Cookie("password",
request.getParameter("password"));
// Set expiry date after 24 Hrs for both the cookies.
userName.setMaxAge(60*60*24);
password.setMaxAge(60*60*24);
// Add both the cookies in the response header.
response.addCookie( userName );
response.addCookie( password );
采纳答案by ug_
Cookies are stored on the client side and are sent to the server with each request. It is not good practice to add passwords in cookies because they are easily intercepted and in many cases stick around in the users browser even after they leave the site.
Cookie 存储在客户端,并随每个请求发送到服务器。在 cookie 中添加密码不是一个好习惯,因为它们很容易被拦截,并且在许多情况下,即使在用户离开网站后,它们也会留在用户浏览器中。
You should be relying on a session, Java EE allows you to create a session with the user where by it will store a session id that is then sent with each request instead. You can store information about that user on the server instead.
您应该依赖会话,Java EE 允许您创建与用户的会话,在该会话中它将存储会话 ID,然后与每个请求一起发送该会话 ID。您可以将有关该用户的信息存储在服务器上。
Using your code here is how you can create a session.
在此处使用您的代码是创建会话的方法。
// get the session, add argument `true` to create a session if one is not yet created.
HttpSession session = request.getSession(true);
session.setAttribute("userName", request.getParameter("userName"));
session.setAttribute("password", request.getParameter("password"));
// to get the username and password
String userName = session.getAttribute("userName");
String password = session.getAttribute("password");
Now of course if you do things this way when you clear your servers cache usernames and passwords will be erased. Also non encrypted passwords in the servers cache certainly has security concerns.
当然,如果您在清除服务器缓存时以这种方式执行此操作,则用户名和密码将被删除。服务器缓存中的非加密密码当然也存在安全问题。
Edit:
编辑:
If 2 people were to use the same computer then no, the code above would not work well. This is because the users credentials are only stored in the session, there is nothing that persists after the session is destroyed or the data in the session is overwritten. Imagine the session is a object that is directly tied to each user. So right now i'm on StackOverflow where somewhere in their code there is a special object just for me and my browser (the session!), in the session object there is something else that says that current logged in user is me. I challenge you to think about how you could store the users credentials outside the session and instead store the currently logged in user inside the session.
如果 2 个人使用同一台计算机,则不,上面的代码将无法正常工作。这是因为用户凭据仅存储在会话中,会话销毁或会话中的数据被覆盖后,不会再有任何内容。想象一下,会话是一个直接绑定到每个用户的对象。所以现在我在 StackOverflow 上,在他们的代码中的某个地方有一个专门为我和我的浏览器使用的特殊对象(会话!),在会话对象中还有其他内容表明当前登录的用户是我。我挑战您考虑如何将用户凭据存储在会话之外,而将当前登录的用户存储在会话中。
To learn more about sessions and how they work there's a great answer here: What are sessions? How do they work?.
要了解有关会话及其工作原理的更多信息,这里有一个很好的答案:什么是会话?它们是如何工作的?.
