Here's how I've done it - First of all, I don't use "j_security_check" as my action, but rather "auth/" which maps to a LoginServlet. That servlet does some other things, but here's the relevant code. The StringUtil.encodeString(password) method changes to cookie to be base64 encrypted. Not a very good encryption, but better than nothing.
LoginServlet.java ===================== String username = request.getParameter("j_username").toLowerCase(); String password = request.getParameter("j_password"); if (request.getParameter("rememberMe") != null) { response = RequestUtil.setCookie(response, "rememberMe", "true", false); response = RequestUtil.setCookie(response, "password", StringUtil.encodeString(password), false); } String req = "j_security_check?j_username=" + RequestUtils.encodeURL(username) + "&j_password=" + RequestUtils.encodeURL(password); response.sendRedirect(response.encodeRedirectURL(req)); Then I have a filter mapped to /* and it has the following code: Cookie rememberMe = RequestUtil.getCookie(request, "rememberMe"); Cookie passCookie = RequestUtil.getCookie(request, "password"); String password = (passCookie != null) ? URLDecoder.decode(passCookie.getValue(), "UTF-8") : null; // <form-error-page>/login.jsp?error=true</form-error-page> boolean authFailed = StringUtils.equals(request.getParameter("error"), "true"); // check to see if the user is logging out, if so, remove the // rememberMe cookie and password Cookie if ((request.getRequestURL().indexOf("logout") != -1) || authFailed) { if (log.isDebugEnabled()) { log.debug("deleting rememberMe-related cookies"); } response = RequestUtil.deleteCookie(response, RequestUtil.getCookie(request, "rememberMe")); response = RequestUtil.deleteCookie(response, passCookie); } if ((request.getRequestURL().indexOf("login") != -1) && !authFailed) { // Check to see if we should automatically login the user // container is routing user to login page, check for remember me cookie Cookie userCookie = RequestUtil.getCookie(request, "username"); String username = (passCookie != null) ? URLDecoder.decode(userCookie.getValue(), "UTF-8") : null; if ((rememberMe != null) && (password != null)) { // authenticate user without displaying login page String route = "j_security_check?j_username=" + username + "&j_password=" + StringUtil.decodeString(password); if (log.isDebugEnabled()) { log.debug("I remember you '" + username + "', attempting authentication..."); } response.sendRedirect(response.encodeRedirectURL(route)); return; } } chain.doFilter(req, resp); This has been working great for me, but I've only tested it on Tomcat. HTH, Matt > -----Original Message----- > From: John Trollinger [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 20, 2003 1:12 PM > To: [EMAIL PROTECTED] > Subject: Form based security and "Remember Me" > > > I seached the archive and only saw one message pertaining to this. > > Is anyone doing this at all? And if so how? > > Thanks, > > John > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]