newbie - jsp forms

Hi,
I have the following code.  Here the client is requested to enter
the username and password, and foward them to a new jsp page.

<form action="CheckStatus.jsp" method="get">
<p><H2>Enter your username and password and press Submit</H2></p>
<H3>
<p>Username: <input type="Text" name="username"></p>
<p>Password: <input type="Password" name="password"></p>
</H3>
<p>
<input type="Submit" value="Submit">
<input type="Reset" value="Reset">
</p>
</form>

Is this secure for the username and password?  If not how can I make
it better?


Thanks in Advance

It's pretty insecure.

First of all you are using the method "get" which means that the parametera 
are passed as part of the query string.
This means that the username and password will show up, in the clear, in the
 webserver logs.
Switch to method = post, the parameters don't show up as part of the query s
tring.

Next, make sure that this page is _only_ accessed via SSL.  Make this page a
 jsp, and add some java
code at the top to ensure that the request is secure (eg. if (request.isSecu
re()).
Do the same for CheckStatus.jsp.  If it's not, don't honor the request.

I don't know what webserver you're using, but if it's Tomcat, it's worth hav
ing a look at their
login stuff.  They have protected servlets that create secure sessions, sing
le-sign-on capabilities, etc.

Bill

Xarky wrote:
> Hi,
>   I have the following code.  Here the client is requested to enter
> the username and password, and foward them to a new jsp page.
>
> <form action="CheckStatus.jsp" method="get">
> <p><H2>Enter your username and password and press Submit</H2></p>
> <H3>
> <p>Username: <input type="Text" name="username"></p>
> <p>Password: <input type="Password" name="password"></p>
> </H3>
> <p>
> <input type="Submit" value="Submit">
> <input type="Reset" value="Reset">
> </p>
> </form>
>
> Is this secure for the username and password?  If not how can I make
> it better?
>
>
> Thanks in Advance

Couple of points:

a) You want to be using declarative security ; i.e. calling your AppServers
form based login servlet
( in WebSphere this is j_security_check). You specify which URLs require
authentication, and the AppServer traps a call to that URL and presents the
user with the login page you specifed. On success, the user gets the page
they were after.

Here's a tutorial ( search for "Form Based Login" or "Form Based
Authentication" on the net)
http://java.sun.com/webservices/doc.../Security5.html


b) You want to call that over Https. If not, you want to do an MD5 hash of
the password with another string and POST that instead. Serverside, you do
the same operation with the real password. If the MD5 hashes are the same,
the user typed in the correct password. You will obviously have to write or
find an MD5 javascript.

Dave Milne

"Xarky" <bernardpace@yahoo.com> wrote in message
news:bc42e1a.0412212318.3ba9263@posting.google.com...
> Hi,
>   I have the following code.  Here the client is requested to enter
> the username and password, and foward them to a new jsp page.
>
> <form action="CheckStatus.jsp" method="get">
> <p><H2>Enter your username and password and press Submit</H2></p>
> <H3>
> <p>Username: <input type="Text" name="username"></p>
> <p>Password: <input type="Password" name="password"></p>
> </H3>
> <p>
> <input type="Submit" value="Submit">
> <input type="Reset" value="Reset">
> </p>
> </form>
>
> Is this secure for the username and password?  If not how can I make
> it better?
>
>
> Thanks in Advance