Architechture for project:

1
2
3
4
5
6
7
8
9

/views/
    ├── layouts
        ├── layout.jsp
    ├── pages
        ├── login.jsp
        ├── login_form_content.jsp
        ├── logout.jsp
        ├── home.jsp
        ├── home_content.jsp

1
2
3

<welcome-file-list>
    <welcome-file>views/pages/home.jsp</welcome-file>
</welcome-file-list>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>${param.pageTitle}</title>
    <link href="${pageContext.request.contextPath}/assets/css/bootstrap.css" rel="stylesheet">
    <link rel="stylesheet" href="${pageContext.request.contextPath}/assets/css/style.css">
</head>
<body>
    <nav class="navbar navbar-expand-lg navbar-dark bg-dark">
        <div class="container">
            <a class="navbar-brand" href="${pageContext.request.contextPath}/views/pages/home.jsp">
                JSP Shop
            </a>
        </div>
    </nav>

    <main class="container py-4">
        <jsp:include page="/views/pages/${contentPage}" />
    </main>

    <footer class="bg-light border-top mt-5">
        <div class="container py-3 text-center small text-muted">
            © 2025 Hieu Nguyen - AI lecturer - FPT University Can Tho
        </div>
    </footer>

    <script src="${pageContext.request.contextPath}/assets/js/bootstrap.bundle.min.js"></script>
    <script src="${pageContext.request.contextPath}/assets/js/main.js"></script>
</body>
</html>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

<%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>

<%
    if ("POST".equalsIgnoreCase(request.getMethod())) {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        if ("admin".equals(username) && "123".equals(password)) {
            response.sendRedirect("home.jsp");
            return;
        } else {
            request.setAttribute("loginError", "Username or password are failed!");
        }
    }

    request.setAttribute("contentPage", "login_form_content.jsp");
%>

<jsp:include page="../layouts/layout.jsp" >
    <jsp:param name="pageTitle" value="Login - JSP Shop" />
</jsp:include>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>

<h2 class="mb-4">Login Form</h2>
<form action="" method="post" class="col-md-4">
    <div class="mb-3">
        <label for="username" class="form-label">Username</label>
        <input type="text" id="username" name="username" class="form-control" required>
    </div>

    <div class="mb-3">
        <label for="password" class="form-label">Password</label>
        <input type="password" id="password" name="password" class="form-control" required>
    </div>

    <button type="submit" class="btn btn-primary">Login</button>
</form>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>

<%
    // Get stoge

    request.setAttribute("username", "admin");
    request.setAttribute("contentPage", "home_content.jsp");
%>

<jsp:include page="../layouts/layout.jsp" >
    <jsp:param name="pageTitle" value="Home - JSP Shop" />
</jsp:include>


1
2
3
4
5

<%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>

<h2>Welcome, ${username} (Cookie Based)</h2>
<a href="${pageContext.request.contextPath}/views/pages/logout.jsp">Logout</a>

1
2
3

<%
    response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>

Structure it so each file has two clearly labeled sections:

1.1 Theory - Cookie-based Authentication

A Cookie-based authentication approach stores user-related information (e.g., username, token) on the client-side in a small text file called a cookie.

The browser sends cookies automatically with each request to the same domain, enabling the server to identify the user.

Advantages:

Disadvantages:

Method Description
new Cookie(name, value) Creates a new cookie object
cookie.setMaxAge(seconds) Sets lifetime (in seconds); 0 deletes cookie immediately
cookie.getName() Returns cookie name
cookie.getValue() Returns cookie value
response.addCookie(cookie) Sends cookie to client
request.getCookies() Returns an array of cookies sent by the client 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<%@ page import="jakarta.servlet.*" %>

<%
    // ...
    if ("admin".equals(username) && "123".equals(password)) {
        Cookie cookie = new Cookie("username", username);
        cookie.setMaxAge(60 * 60); // 1 hour
        response.addCookie(cookie);

        response.sendRedirect("home.jsp");
        return;
    } else {
        request.setAttribute("loginError", "Username or password are failed!");
    }

    // ...
%>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<%@ page import="jakarta.servlet.*" %>

<%
    // Get stoge
    String username = null;
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie c : cookies) {
            if ("username".equals(c.getName())) {
                username = c.getValue();
                break;
            }
        }
    }

    if (username == null) {
        response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
        return;
    }

    request.setAttribute("username", "admin");
    request.setAttribute("contentPage", "home_content.jsp");
%>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<%@ page import="jakarta.servlet.http.*" %>

<%
    Cookie[] cookies = request.getCookies();
    if (cookies != null) {
        for (Cookie c : cookies) {
            if ("username".equals(c.getName())) {
                c.setMaxAge(0);
                c.setPath(request.getContextPath());
                response.addCookie(c);
            }
        }
    }

    response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>

Source demo

Option 2. Session-based Login/Logout Approach

1.1 Theory - Session-based Authentication

Session-based authentication is a method of maintaining user login state by storing session data on the server. When a user successfully logs in, the server creates a HttpSession object containing the user’s information (e.g., username, role).

The server assigns a unique Session ID, sent to the client (usually via a cookie named JSESSIONID).

On each request, the browser sends this Session ID, allowing the server to retrieve the user’s stored data from memory.

   
Advantage  
Server-side storage Sensitive data is stored on the server, not the client, reducing exposure.
Easy to implement JSP and Servlet provide built-in HttpSession support.
Supports large data Can store more data than cookies without worrying about size limits (~4KB limit in cookies).
Automatic timeout Sessions can be set to expire after a period of inactivity.
Disadvantage  
Server memory usage Each active user session consumes server memory.
Not stateless Requires server to maintain state, reducing scalability in distributed systems unless session replication is used.
Dependent on cookies (by default) If the user disables cookies, session tracking requires URL rewriting.
Session fixation risk If not handled correctly, attackers could hijack a session ID.
Method Description
request.getSession() Returns the current session, creating one if it does not exist.
request.getSession(false) Returns the current session only if it exists, otherwise returns null.
session.setAttribute(String name, Object value) Stores an attribute in the session.
session.getAttribute(String name) Retrieves an attribute from the session.
session.removeAttribute(String name) Removes an attribute from the session.
session.invalidate() Invalidates the session, removing all attributes.
session.getId() Returns the unique session ID.
session.getCreationTime() Returns the time when the session was created.
session.getLastAccessedTime() Returns the last time the client sent a request with this session.
session.setMaxInactiveInterval(int seconds) Sets the maximum inactive time before the session expires. 
1
2
3
4
5
6
7
8
9
10
11
12
13
14

<%@ page import="jakarta.servlet.*" %>

<%
    // ...
    if ("admin".equals(username) && "123".equals(password)) {
        session.setAttribute("username", username);
        response.sendRedirect("home.jsp");
        return;
    } else {
        request.setAttribute("loginError", "Username or password are failed!");
    }

    // ...
%>

1
2
3
4
5
6
7
8

<%@ page import="jakarta.servlet.*" %>

<%
    // Get stoge
    String username = session.getAttribute("username");
    request.setAttribute("username", username);
    request.setAttribute("contentPage", "home_content.jsp");
%>

1
2
3
4
5
6

<%@ page import="jakarta.servlet.http.*" %>

<%
    session.invalidate();
    response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>

Source demo