Chris,

I found your post at
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
msg111700.html and I'm cc'ing the list in case anyone else is
interested in this info (I'm not subscribed).

I've actually improved the "Remember Me" feature a fair amount since I
posted to the Tomcat User list. The sendRedirect works, however, it
(in some browsers) puts the URL (with password) into the address bar.  
This isn't a big deal IMO since it's the user that just logged in and
they don't mind seeing their own passwords. However, the URL tends to
show up in server log files which can be a security hole. Because of
this, I changed to using an HTTP Post with Jakarta Common's HttpClient.
I also moved my form-login-page and form-error-page into a "security"
folder and then set my cookies for the /appname/security path rather
than / - this makes it so the user/pass cookies are more secure and can
only be retrieved when logging in, rather than for any URL in the site.

That being said, I've updated one of my sample apps with these changes
and you can download it if you'd like:

http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse

Here's my updated LoginServlet that does an Http Post instead of a Get:

http://tinyurl.com/xl80

HTH,

Matt

On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:

>
> Hi Matt,
>
> Sorry for sending unsolicited email but I've been looking at some
> of your postings to Tomcat-User and wondered if I could ask a
> couple of questions. I've tried posting to list but had no response
> from anyone there.
>
> Specifically, it's regarding your "remember me" login stuff. If this
> is a pain feel free to ignore this email.
>
>
> Best regards
> Chris
>
> p.s. My question the list was under the subject
> "servlet sendRedirect() to j_security_check problem"
>
>
> --
>
> Chris Ward, Horizon Asset Limited
> <mailto:cward@(protected)>
> Tel +44 (20) 7367 7028, Fax 7367 7029
>
> --
>
>
> THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION.
> IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL
> IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E-
> MAIL. ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE
> MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN.
>
>       HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED
>           BY THE FINANCIAL SERVICES AUTHORITY.
>