Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);

    String username = request.getParameter("username");
    String password = request.getParameter("password");

    // Basic input validation
    if(!username.matches("[\\w]*") || !password.matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }

    UserBean dbUser = this.userDAO.lookup(username);
    if(!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }

    HttpSession session = request.getSession();
    // Invalidate old session id
    session.invalidate();
    // Generate new session id
    session = request.getSession(true);
    // Set session timeout to one hour
    session.setMaxInactiveInterval(60*60);
    // Store user bean within the session
    session.setAttribute("user", dbUser);

    return "welcome.jsp";
  }
}

...