How to restrict clients from accessing a webpage that contains parameters in the URL

Question

I'm using this approach to validate a log in form.

index.jsp -> contains <form action=login.jsp method="post"> -> values are submitted -> login.jsp -> if login is successful -> response.sendRedirect("index.jsp?valid=1"); -> if not -> response.sendRedirect("index.jsp?valid=0");

However, any user can simply type index.jsp?valid=1 as a URL and then he would be "logged in", is this the right approach, if yes, how can I disallow someone to manipulate these URLs.

Answer 1

Since your are using .jsp, you are in Java EE paradigm. Java EE provides Basic and Form Based authentication models. You need to use one of these models to implement secure login to the system.

Here is a tutorial:

http://www.informit.com/articles/article.aspx?p=26139&seqNum=3

If you would like to use the Spring System, here is the tutorial:

http://static.springsource.org/spring-security/site/tutorial.html

Answer 2

No, this isn't the right approach and no, you can't restrict users. I mean, how would that be possible?

This information should be stored on the server side in the session.

Unless you're doing it for your own learning, I don't think you should code authentication/authorization by hand, there are plenty of libraries doing it, using them is not only a lot easier but also much safer.

Answer 3

Most of us use cookies for authentication, not URL parameters which can be hacked by anyone.