Architechture for project:
1
2
3
4
5
6
7
8
9
| /views/
├── layouts
├── layout.jsp
├── pages
├── login.jsp
├── login_form_content.jsp
├── logout.jsp
├── home.jsp
├── home_content.jsp
|
- Update webcome file in web.xml:
1
2
3
| <welcome-file-list>
<welcome-file>views/pages/home.jsp</welcome-file>
</welcome-file-list>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>${param.pageTitle}</title>
<link href="${pageContext.request.contextPath}/assets/css/bootstrap.css" rel="stylesheet">
<link rel="stylesheet" href="${pageContext.request.contextPath}/assets/css/style.css">
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<div class="container">
<a class="navbar-brand" href="${pageContext.request.contextPath}/views/pages/home.jsp">
JSP Shop
</a>
</div>
</nav>
<main class="container py-4">
<jsp:include page="/views/pages/${contentPage}" />
</main>
<footer class="bg-light border-top mt-5">
<div class="container py-3 text-center small text-muted">
© 2025 Hieu Nguyen - AI lecturer - FPT University Can Tho
</div>
</footer>
<script src="${pageContext.request.contextPath}/assets/js/bootstrap.bundle.min.js"></script>
<script src="${pageContext.request.contextPath}/assets/js/main.js"></script>
</body>
</html>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| <%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>
<%
if ("POST".equalsIgnoreCase(request.getMethod())) {
String username = request.getParameter("username");
String password = request.getParameter("password");
if ("admin".equals(username) && "123".equals(password)) {
response.sendRedirect("home.jsp");
return;
} else {
request.setAttribute("loginError", "Username or password are failed!");
}
}
request.setAttribute("contentPage", "login_form_content.jsp");
%>
<jsp:include page="../layouts/layout.jsp" >
<jsp:param name="pageTitle" value="Login - JSP Shop" />
</jsp:include>
|
- Create login_form_content.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" %>
<h2 class="mb-4">Login Form</h2>
<form action="" method="post" class="col-md-4">
<div class="mb-3">
<label for="username" class="form-label">Username</label>
<input type="text" id="username" name="username" class="form-control" required>
</div>
<div class="mb-3">
<label for="password" class="form-label">Password</label>
<input type="password" id="password" name="password" class="form-control" required>
</div>
<button type="submit" class="btn btn-primary">Login</button>
</form>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>
<%
// Get stoge
request.setAttribute("username", "admin");
request.setAttribute("contentPage", "home_content.jsp");
%>
<jsp:include page="../layouts/layout.jsp" >
<jsp:param name="pageTitle" value="Home - JSP Shop" />
</jsp:include>
|
1
2
3
4
5
| <%@ page contentType="text/html;charset=UTF-8" %>
<%@ page import="jakarta.servlet.*" %>
<h2>Welcome, ${username} (Cookie Based)</h2>
<a href="${pageContext.request.contextPath}/views/pages/logout.jsp">Logout</a>
|
1
2
3
| <%
response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>
|
Session-based and Cookie-based
Structure it so each file has two clearly labeled sections:
- Option 1: Cookie Approach
- Option 2: Session Approach
with comments and explanatory differences.
Option 1. Cookie-based Login/Logout Approach
1.1 Theory - Cookie-based Authentication
A Cookie-based authentication approach stores user-related information (e.g., username, token) on the client-side in a small text file called a cookie.
The browser sends cookies automatically with each request to the same domain, enabling the server to identify the user.
Advantages:
- Persistent login across sessions if cookie expiry is set.
- No server-side memory usage for authentication state.
Disadvantages:
- Less secure if sensitive data is stored directly (must encrypt or hash).
- User can delete or modify cookies.
1.2 Commonly Used Cookie Methods
| Method | Description |
|---|
new Cookie(name, value) | Creates a new cookie object |
cookie.setMaxAge(seconds) | Sets lifetime (in seconds); 0 deletes cookie immediately |
cookie.getName() | Returns cookie name |
cookie.getValue() | Returns cookie value |
response.addCookie(cookie) | Sends cookie to client |
request.getCookies() | Returns an array of cookies sent by the client |
1.3 Login/logout by Cookie-based
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| <%@ page import="jakarta.servlet.*" %>
<%
// ...
if ("admin".equals(username) && "123".equals(password)) {
Cookie cookie = new Cookie("username", username);
cookie.setMaxAge(60 * 60); // 1 hour
response.addCookie(cookie);
response.sendRedirect("home.jsp");
return;
} else {
request.setAttribute("loginError", "Username or password are failed!");
}
// ...
%>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| <%@ page import="jakarta.servlet.*" %>
<%
// Get stoge
String username = null;
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie c : cookies) {
if ("username".equals(c.getName())) {
username = c.getValue();
break;
}
}
}
if (username == null) {
response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
return;
}
request.setAttribute("username", "admin");
request.setAttribute("contentPage", "home_content.jsp");
%>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| <%@ page import="jakarta.servlet.http.*" %>
<%
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie c : cookies) {
if ("username".equals(c.getName())) {
c.setMaxAge(0);
c.setPath(request.getContextPath());
response.addCookie(c);
}
}
}
response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>
|
Source demo
Option 2. Session-based Login/Logout Approach
1.1 Theory - Session-based Authentication
Session-based authentication is a method of maintaining user login state by storing session data on the server. When a user successfully logs in, the server creates a HttpSession object containing the user’s information (e.g., username, role).
The server assigns a unique Session ID, sent to the client (usually via a cookie named JSESSIONID).
On each request, the browser sends this Session ID, allowing the server to retrieve the user’s stored data from memory.
| | |
|---|
| Advantage | |
| Server-side storage | Sensitive data is stored on the server, not the client, reducing exposure. |
| Easy to implement | JSP and Servlet provide built-in HttpSession support. |
| Supports large data | Can store more data than cookies without worrying about size limits (~4KB limit in cookies). |
| Automatic timeout | Sessions can be set to expire after a period of inactivity. |
| Disadvantage | |
| Server memory usage | Each active user session consumes server memory. |
| Not stateless | Requires server to maintain state, reducing scalability in distributed systems unless session replication is used. |
| Dependent on cookies (by default) | If the user disables cookies, session tracking requires URL rewriting. |
| Session fixation risk | If not handled correctly, attackers could hijack a session ID. |
1.2 Commonly Used Cookie Methods in JSP
| Method | Description |
|---|
request.getSession() | Returns the current session, creating one if it does not exist. |
request.getSession(false) | Returns the current session only if it exists, otherwise returns null. |
session.setAttribute(String name, Object value) | Stores an attribute in the session. |
session.getAttribute(String name) | Retrieves an attribute from the session. |
session.removeAttribute(String name) | Removes an attribute from the session. |
session.invalidate() | Invalidates the session, removing all attributes. |
session.getId() | Returns the unique session ID. |
session.getCreationTime() | Returns the time when the session was created. |
session.getLastAccessedTime() | Returns the last time the client sent a request with this session. |
session.setMaxInactiveInterval(int seconds) | Sets the maximum inactive time before the session expires. |
1.3 Login/logout by Cookie-based
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| <%@ page import="jakarta.servlet.*" %>
<%
// ...
if ("admin".equals(username) && "123".equals(password)) {
session.setAttribute("username", username);
response.sendRedirect("home.jsp");
return;
} else {
request.setAttribute("loginError", "Username or password are failed!");
}
// ...
%>
|
1
2
3
4
5
6
7
8
| <%@ page import="jakarta.servlet.*" %>
<%
// Get stoge
String username = session.getAttribute("username");
request.setAttribute("username", username);
request.setAttribute("contentPage", "home_content.jsp");
%>
|
1
2
3
4
5
6
| <%@ page import="jakarta.servlet.http.*" %>
<%
session.invalidate();
response.sendRedirect(request.getContextPath() + "/views/pages/login.jsp");
%>
|
Source demo