I'm using OpenID. How do I make it so that the user stays logged in for a long time even after closing the browser window?
How do I store and get access to the user's User
object?
Basically, I guess I just don't really understand how sessions work in Java.
So you actually want like a "Remember me on this computer" option? This is actually unrelated to OpenID part. Here's a language-agnostic way how you can do it:
First create a DB table with at least cookie_id
and user_id
columns. If necessary also add a cookie_ttl
and ip_lock
. The column names speaks for itself I guess.
On first-time login (if necessary only with the "Remember me" option checked), generate a long, unique, hard-to-guess key (which is in no way related to the user) which represents the cookie_id
and store this in the DB along with the user_id
. Store the cookie_id
as cookie value of a cookie with known cookie name, e.g. remember
. Give the cookie a long lifetime, e.g. one year.
On every request, check if the user is logged in. If not, then check the cookie value cookie_id
associated with the cookie name remember
. If it is there and it is valid according the DB, then automagically login the user associated with the user_id
and postpone the cookie age again and if any, also the cookie_ttl
in DB.
In Java/JSP/Servlet terms, make use of HttpServletResponse#addCookie()
to add a cookie and HttpServletRequest#getCookies()
to get cookies. You can do all the first-time checking in a Filter
which listens on the desired recources, e.g. /*
or maybe a bit more restricted.
With regard to sessions, you don't need it here. It has a shorter lifetime than you need. Only use it to put the logged-in user or the "found" user when it has a valid remember
cookie. This way the Filter
can just check its presence in the session and then don't need to check the cookies everytime.
It's after all fairly straight forward. Good luck.