Home/ Questions/Q 6015859
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T02:53:52+00:00

In jsp Login or Session() what is better to put in the session the

  • 0

In jsp Login or Session() what is better to put in the session the Username or the Id ??

and do i test on a servlet or on an outher jsp page ??

im using this code in an outher jsp page but i think is not safe

 <%if(session.getAttribute("username") == null){%>
<%
String err ; 
Connection cnn;
  Class.forName(System.getProperty("database.driver","com.mysql.jdbc.Driver"));
 cnn = DriverManager.getConnection("jdbc:mysql://localhost:3306/sondage","root", "");
  Statement stat1 = cnn.createStatement();

  String Username,Password;

  Username=request.getParameter("UserName");
  Password=request.getParameter("passWord");

  //Le nomre de produits
ResultSet resultat = stat1.executeQuery("select * from utilisateur where username ='"+ Username +"' and password = '"+Password+"'");
if (resultat.next()) {

session.putValue("username",Username);

    RequestDispatcher rd =request.getRequestDispatcher("vote.jsp");
    rd.forward(request, response);

}
else {
    RequestDispatcher rd =request.getRequestDispatcher("authentification.jsp?err=1");
    rd.forward(request, response);
     }
    %>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That’s all up to you. I personally just put a Javabean which represents the User entity in there so that I have instant access to all of its properties and I usually do this in a servlet.

    @Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String username = request.getParameter("username");
    String password = request.getParameter("password");
    User user = userDAO.find(username, password);

    if (user != null) {
        request.getSession().setAttribute("user", user);
        response.sendRedirect("userhome");
    } else {
        request.setAttribute("message", "Unknown login, try again");
        request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
    }
}

    There are only several things which springs out as weird/unsafe:

    <%if(session.getAttribute("username") == null){%>

    Why this check? Isn’t the user allowed to re-login as another user? You should rather use a Filter for this.

    ResultSet resultat = stat1.executeQuery("select * from utilisateur where username ='"+ Username +"' and password = '"+Password+"'");

    That’s a SQL injection hole. Read on about SQL injection attacks and prepared statements.

    Finally I miss the finally block wherein you properly close the JDBC resources in order to prevent them from leaking which may cause your application to crash on long term whenever the DB is running out of all resources.

    • 0