"stay logged in" login page
I want to implement a stay logged in or remember me in my jsp login page. I am using container based form authentication. I think I need to I have to store users' data such as userid and token - a status information to determine whether as user is logged or not, into the cookies. Also I heard that we should not store users' password even it is encrypted.
If I store their password and userid, I can sigh them in automatically by submitting the data to servlet before I show the login page to users.
If I do not store their password, what method could I use to sign them in automatically?
I would suggest that you not create your own framework for this but rather use something like spring-security or Apache Shiro since the security of your application is pretty important and not something you generally want to build from scratch.
If this is purely for educational purposes, I would suggest looking at the code for the two mentioned applications to see how they handle it.
I have seen this implemented as a secure token in the cookie (with expiration date) whose value is also stored on the server for a set period of time and associated with a specific user account. When the user returns to the site with that cookie, the server will compare it's token value to that of the cookie and let them in if they match (and it is not expired).
Again, it is best to use pre-existing and tested libraries for this kind of work.
Best of luck.