How to "automatically login" user after remember me cookie is checked?

Question

I need to implement "Remember me" functionallity on my JSF site, i´ve been researching about this topic trying to find what the best practices are. Ive found many answers, but i still have a question based on the technology i use and the way i store user passwords in my database.

Summarizing what i've found

• Create a database table containing the user and a hard to guess long serial.
• When a user logs in with the remember me option checked, generate a registry on the db table and send a cookie to the user with both username and serial in it.
• In case the same user isnt logged in, and has a valid cookie according to the database, Automatically login the user.

How i actually login users

Based on Java EE standards i use JAAS and i store the MD5 version of user passwords. I login my users through the login method of the HttpServletRequest class which needs a username and a password in order to validate the authentication and set the user principal.

---

Based on these two facts, how can i do the automatic login based on this best practice if i need both username and password in order to login the user?

Answer 1

how can i do the automatic login based on this best practice if i need both username and password in order to login the user?

Just get username and password straight from the DB based on the value of the "remember me" cookie. Then you can provide them to the HttpServletRequest#login() method.

Note that the value of the "remember me" cookie should absolutely not contain any hints about the username, password nor ID. It should be an absolutely random value. The java.util.UUID is helpful here.

See also:

• Automatic login to JSF application on revisits, after once logged in