Reuse login page for errors

The Servlet API defines a form-based login mechanism, which allows you to define a login page and an associated login error page. Here is an example of such an entry in web.xml:
<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
  <form-login-page>/Login.jsp</form-login-page>
  <form-error-page>/LoginError.jsp</form-error-page>
 </form-login-config>
</login-config>
It's useful to note that you don't have to specify two different pages.

For example:

<login-config>
 <auth-method>FORM</auth-method>
 <form-login-config>
  <form-login-page>/Login.jsp</form-login-page>
  <form-error-page>/Login.jsp?Retry=True</form-error-page>
 </form-login-config>
</login-config>
That is, the same page can be reused for login errors. In the presence of the Retry parameter, the Login.jsp will display a simple error message.

Here is a snippet from a Login.jsp which uses this style:

<form method="POST" action='<%= response.encodeURL("j_security_check") %>'>
<table align="center">
<c:if test='${not empty param["Retry"]}'>
 <tr>
  <td colspan='2' align='center'><b>Please try again.</b></td>
 </tr>
 <tr>
  <td>&nbsp;</td>
 </tr>
</c:if>
<tr>
 <td><label>Name</label></td>
 <td><input type="text" name="j_username"></td>
</tr>
<tr>
 <td><label>Password</label></td>
 <td><input type="password" name="j_password"></td>
</tr>
<tr align="center">
 <td colspan="2"><input type="submit" value="Login"></td>
</tr>
</table>
</form>
For security reasons, many recommend not giving specific error information. For example, stating explicitly that the password is incorrect is undesirable, since that information is useful to hackers.

For similar reasons, when displaying an error it's likely best not to repeat the user's original input, and to leave the login form blank.

Would you use this technique?
Yes   No   Undecided   
© 2014 Hirondelle Systems | Source Code | Contact | License | RSS
Individual code snippets can be used under this BSD license - Last updated on September 21, 2013.
Over 2,000,000 unique IPs last year - Built with WEB4J.
- In Memoriam : Bill Dirani -