Thread: Servlets and HttpSession

This is my first attempt at writing a servlet. I'm trying to create a simple login page that directs users to their account page where they can update their account details and such. However I'm getting the feeling that I'm not doing this right. Do I really need to use HttpSession here? If so, what should I be using it for besides storing their account name?

Also, how should I go about redirecting users who have edited their account details back to their account page?

public class Main extends HttpServlet {
	public void doGet (HttpServletRequest r1, HttpServletResponse r2) throws IOException, ServletException {
		r2.setContentType ("text/html");
		PrintWriter p = r2.getWriter ();
		String sqluser = "root", sqlpass = "password";
		String account, password, request;
		request = r1.getParameter ("request");
 
		p.println ("<head>");
		p.println ("<title>Main</title>");
		p.println ("</head>");
		p.println ("<body>");
		p.println ("<p>");
 
		/*
		user login
		*/
		if (request.equals("login")) {
		account = r1.getParameter ("account");
		password = r1.getParameter ("password");
 
		//search for account and password matches in sql database -> resultset res
 
		if (res.next()==true) {
			HttpSession session = r1.getSession();
			session.setAttribute("logon.isDone", account);
 
			String firstname = res.getString("firstname");
			String lastname = res.getString("lastname");
			String address = res.getString("address");
			String province = res.getString("province");
			String city = res.getString("city");
 
			p.println ("<h2>logged in as:</h2>");
			p.println ("<b>account</b>: " +account+ "<br/>");
			p.println ("<b>first name</b>: " +firstname+ "<br/>");
			p.println ("<b>last name</b>: " +lastname+ "<br/>");
			p.println ("<b>address</b>: " +address+ "<br/>");
			p.println ("<b>province</b>: " +province+ "<br/>");
			p.println ("<b>city</b>: " +city+ "<br/>");
			p.println ("<b>session</b>: " +session.getAttribute("logon.isDone")+"-"+session.getId()+ "<br/>");
 
			p.println ("<form action='localhost:8080/servlet/Main' method='post'>");
			p.println ("<input type='hidden' name='account' value='"+account+"'>");
			p.println ("<input type='hidden' name='password' value='"+password+"'>");
			p.println ("<input type='hidden' name='firstname' value='"+firstname+"'>");
			p.println ("<input type='hidden' name='lastname' value='"+lastname+"'>");
			p.println ("<input type='hidden' name='address' value='"+address+"'>");
			p.println ("<input type='hidden' name='province' value='"+province+"'>");
			p.println ("<input type='hidden' name='city' value='"+city+"'>");
			p.println ("<p><input type='submit' value='edit details' name='request' size='10'><input type='submit' value='edit password' name='request' size='10'></p>");
			p.println ("<p><input type='submit' value='logout' name='request' size='10'></p>");
			p.println ("</form>");
			}
			else {
				p.println ("<h2>error: incorrect account name and/or password</h2><br/>");
			}
		}
 
		/*
		logout
		*/
		else if (request.equals("logout")) {
			session.invalidate();
		}
 
		/*
		send account edit form
		*/
		else if (request.equals("edit details")) {
			account = r1.getParameter ("account");
			password = r1.getParameter ("password");
			String firstname = r1.getParameter ("firstname");
			String lastname = r1.getParameter ("lastname");
			String address = r1.getParameter ("address");
			String province = r1.getParameter ("province");
			String city = r1.getParameter ("city");
 
			p.println ("<h2>edit account details:</h2>");
			p.println ("<form action='localhost:8080/servlet/Main' method='post'>");
			p.println ("<input type='hidden' name='account' value='"+account+"'>");
			p.println ("<input type='hidden' name='password' value='"+password+"'>");
			p.println ("<p>first name: &nbsp; <input type='text' name='firstname' value="+firstname+" size='20' maxlength='20'></p>");
			p.println ("<p>last name: &nbsp; <input type='text' name='lastname' value="+lastname+" size='20' maxlength='20'></p>");
			p.println ("<p>address: &nbsp; <input type='text' name='address' value="+address+" size='20' maxlength='20'></p>");
			p.println ("<p>province: &nbsp; <input type='text' name='province' value="+province+" size='3' maxlength='3'></p>");
			p.println ("<p>city: &nbsp; <input type='text' name='city' value="+city+" size='20' maxlength='20'></p>");
			p.println ("<p><input type='submit' value='update details' name='request' size='10'></p>");
			p.println ("</form>");
		}
 
		/*
		update account
		*/
		else if (request.equals("update details")) {
			account = r1.getParameter ("account");
			password = r1.getParameter ("password");
			String firstname = r1.getParameter ("firstname");
			String lastname = r1.getParameter ("lastname");
			String address = r1.getParameter ("address");
			String province = r1.getParameter ("province");
			String city = r1.getParameter ("city");
 
			//update record in sql database
 
			p.println ("<h2>account details updated</h2>");
 
			//redirect user to their account page
		}
 
		p.println ("</p>");
		p.println ("</body>");
		p.println ("</html>");
	}
 
	public void doPost (HttpServletRequest r1, HttpServletResponse r2) throws ServletException, IOException {
		doGet (r1, r2);
	}
}

First off I'd say you should use JSP pages for the webcontent and just use the servlet for the logic. Once a request comes in to the servlet, do your checks and then forward the user to the correct jsp.

To forward a user to a jsp use this piece of code.

        request.getRequestDispatcher("/page/to/page.jsp").forward(request, response);

So in theory whats nice to do is use the servlet to redirect your requests to the appropriate logic that puts the correct objects on your httpSession and then forward the user to a certain jsp page.

In your case you'd like to do something like this.

public void doGet (HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
 
    final String username = request.getParameter("username");
    final String password = request.getParameter("password"); // TODO: Dont forget to turn this into a hash
 
    if(username != null && password != null) {
        // Check if the username and password match the needed credentials to get in.
        if(username.equals() && password.equals()) {
           request.getSession().setAttribute("user", userObject); // Set the user object on the session so we can grab it whenever we want
 
            // Send the user to the logged in page
            request.getRequestDispatcher("/page/to/loggedin.jsp").forward(request, response);
        } else {
            // Login failed, send the user to login failed page
            request.getRequestDispatcher("/page/to/loginfailed.jsp").forward(request, response);
        }
    }
}

When actually rendering your jsp pages you might also want to check that the userObject exists on the session or do some sort of magic to make sure the user is actually logged in.

// Json

Yeah, I was planning on using JSP once I had the logic bit sorted out.

So far I've split the servlet into two: login and register. I've also created separate methods for the SQL instructions, and am now using the HttpSession to store the account details. I'm going to move the HTML code to JSP next, so I'll let you know how it turns out.

Brilliant, best of luck to you and just ask if you need another hand with anything.

// Json