Java Servlet Remember Me: Fix Null Session in Filter

Question

How to implement 'remember me' or 'stay logged in' functionality in a plain Java Servlet application (no Spring or Shiro) using cookies and a database? Why does the session become null in the filter after forwarding from the login servlet?

I'm following this Stack Overflow thread (BalusC's solution 2 for Java 6/7) but encountering issues with the filter being called multiple times during login.

Problem Flow:
User requests protected resource (/jsp/startup.jsp): Filter called, session is null, no cookie/DB entry → forward to login.jsp.
User submits login form: Filter detects username parameter, calls chain.doFilter() to ProcessLogin servlet (session now non‑null).
ProcessLogin servlet:
If remember_me checked: Generates UUID, adds cookie, stores user in DB with UUID.
Calls request.login(username, password).
Sets user attribute in session.
Forwards to original startup.jsp.
Forward triggers filter third time: Session is unexpectedly null again, breaking logic.

Key Code Snippets:

MyServletFilter.java (extends SecurityParentServlet):

ProcessLogin.java (@WebServlet("/ProcessLogin")):

SecurityParentServlet provides addCookie, removeCookie, getCookieValue, forward, goToLogin, and jSecurityCheck (not fully shown, uses programmatic POST to /jsecuritycheck).

What causes the session to become null after the forward? How to fix the filter logic for proper 'remember me' handling in servlets?

NeuroAnswers · Accepted Answer

Implementing "remember me" or stay logged in functionality in a plain Java servlet request handler relies on session cookies paired with a database to store secure tokens, keeping users authenticated across browser restarts without re-entering credentials. The session turns null in your servlet filter after forwarding from ProcessLogin because request.login() invalidates the existing session to prevent fixation attacks, getSession(false) won't recreate it, and the FORWARD dispatcher re-triggers the filter on the JSP. To fix this, switch to getSession(true), limit the filter to REQUEST dispatches only, use sendRedirect post-login instead of forward, and adopt dual-token security (selector + hashed validator) for robust cookie session ID handling. Contents Understanding Remember Me in Java Servlet Request Handling Why Your Session Goes Null in the Servlet Filter After Forward Root Causes: Dispatchers, request.login(), and getSession Pitfalls Complete Stay Logged In Implementation with Session Cookies and DB Fixing MyServletFilter Logic for Reliable Remember Me Secure Cookie Session ID Best Practices Updating ProcessLogin Servlet and Alternatives Testing, Debugging, and Common Errors Sources Conclusion Understanding Remember Me in Java Servlet Request Handling Ever hit a wall trying to make "remember me" work smoothly in a vanilla servlet app? You're not alone—it's a classic pain point with java servlet request flows, especially without Spring's hand-holding. The idea is simple: on login, if the checkbox is ticked, generate a secure token, stash it in a long-lived cookie (say, 7-30 days), and mirror it in your database tied to the user. Next visit, the servlet filter sniffs the cookie, validates against the DB, logs them in programmatically via request.login(), and sets a session attribute to bypass future checks. BalusC nailed this in his time-tested Stack Overflow answer for Java 6/7 servlets: filter first on params/session, fallback to cookie/DB, then chain. But your flow breaks because forwards loop back through the filter unexpectedly. Why? Servlet dispatchers. More on that soon. Picture the happy path: No session/cookie? Redirect to login. Cookie valid? request.login() + session attr = proceed. Logs out? Nuke cookie and DB token. This beats session-only logins, which die on browser close. But security matters—raw UUIDs invite hijacking. We'll upgrade to pro-level tokens later. Why Your Session Goes Null in the Servlet Filter After Forward Let's replay your exact problem flow with logs in mind. User hits /jsp/startup.jsp: filter fires (session null, no cookie), forwards to login. Form posts to ProcessLogin: filter sees "username" param, chains through—session exists now. ProcessLogin generates UUID cookie if "remember_me", calls request.login(), sets session "user", forwards back to startup.jsp. Boom—filter #3: session null again! Logger screams "MyServletFilter was called" endlessly? That's the forward dispatcher re-entering the filter chain for JSPs mapped to *.jsp. Your getSession(false) chokes because request.login() zapped the session for anti-fixation protection—containers like Tomcat invalidate on programmatic login to dodge session fixation exploits. You see the ripple: forward preserves the request/session context but re-runs filters (unless restricted), post-invalidation getSession(false) returns null, cookie check happens too late or fails, loop to login. Frustrating, right? But fixable without frameworks. Root Causes: Dispatchers, request.login(), and getSession Pitfalls Drill down—three culprits stack up here. First, dispatcher types. Filters default to all: REQUEST, FORWARD, INCLUDE, etc. Your *.jsp mapping catches forwards from ProcessLogin, re-filtering the same request. Solution? REQUEST in web.xml or @WebFilter(dispatcherTypes = DispatcherType.REQUEST). Second, request.login() nukes the session. Per Servlet spec and Baeldung's breakdown, it invalidates to block fixation (attacker steals old session ID pre-login). Post-call, getSession(false) fails—use getSession(true) to force a new one. Third, param/session/cookie order. Your filter checks params first (good for login POST), but after forward, params vanish (FORWARD copies attributes, not params). Cookie logic runs, but null session blocks session.setAttribute("user"). Bonus pitfall from Coderanch forums: getSession(false) is brittle post-any-invalidation. Always true after login. And forwards? Swap to sendRedirect—new REQUEST, no filter loop, session cookie travels. Quick test: Add logger.debug("Dispatcher: " + request.getDispatcherType());—you'll see FORWARD on the third call. Complete Stay Logged In Implementation with Session Cookies and DB Time for working code. We'll hybrid BalusC with CodeJava's secure dual-token approach: random selector (cookie) + hashed validator (DB). On use, rotate both for replay protection. DB schema first (MySQL/Postgres): Constants (in SecurityParentServlet or util): addCookie (enhanced): getCookieValue (same, trim nulls). DBHandler stubs (use BCrypt/PBKDF2 for hashes): Full flow later in fixes. Fixing MyServletFilter Logic for Reliable Remember Me Here's your revised MyServletFilter. Key changes: @WebFilter(dispatcherTypes=DispatcherType.REQUEST), getSession(true) post-login, param check last (login POST needs it), early cookie/DB before session attr. No more forward loops. Session survives. Secure Cookie Session ID Best Practices Raw UUID? Meh—predictable. Dual-token shines: cookie holds opaque selector (random 16-32 chars), DB has matching hashed validator (random bytes, BCrypt'd). On read, app generates validator, hashes, compares. Rotate both on use/extract. Per Servlet API Cookie docs: HttpOnly=true: JS-proof. Secure=true: HTTPS-only. SameSite=Strict/Lax: CSRF hedge. Path="/", no Domain unless subdomains. Logout: DBHandler.deleteBySelector(selector); removeCookie(); session.invalidate();. Hash impl (use BouncyCastle or java.security): 30-day expiry? Fine-tune via DB lastusedat + cron purge old tokens. Updating ProcessLogin Servlet and Alternatives Your ProcessLogin needs tweaks: getSession(true) post-login, sendRedirect over forward (new request, cookie sticks). Alt: request.changeSessionId() (Servlet 3.1+) instead of login invalidation. Or jsecuritycheck POST via util. Login.jsp: for original URI. Testing, Debugging, and Common Errors Test rigorously: Login w/o remember: close browser, reload → login prompt. With remember: close/reopen → direct to protected, check logs/cookie. Invalid cookie: tamper selector → delete on fail. Tools: Chrome DevTools (Application > Cookies), Postman w/ cookies. Debug tips: Log dispatcher/request URI/session ID. Wireshark for cookie headers. Common gotchas: getSession(false) everywhere (swap to true), no @WebFilter dispatcher, HTTPS=false in prod. Edge: Multi-tab? Token race—use atomic DB updates. Mobile? Shorten expiry. If Tomcat: session cookie JSESSIONID auto-httpOnly since 7.0. Sources How to implement stay logged-in when user login in to the web application — BalusC's Solution 2 for servlet remember me with filter/cookie/DB: https://stackoverflow.com/questions/5082846/how-to-implement-stay-logged-in-when-user-login-in-to-the-web-application/5083809 How to implement Remember Password (Remember Me) for Java web application — Secure dual-token implementation with DB schema and rotation: https://www.codejava.net/coding/how-to-implement-remember-password-remember-me-for-java-web-application Guide to HttpServletRequest.getSession() — Explains getSession(false/true) behavior post-login invalidation: https://www.baeldung.com/java-request-getsession request.getSession(false) working intermittently — Forum discussion on session null after invalidate: https://coderanch.com/t/358332/java/request-getSession-false-working Cookie (Jakarta Servlet API) — Official docs for secure cookie flags like HttpOnly/Secure: https://jakarta.ee/specifications/servlet/4.0/apidocs/javax/servlet/http/cookie Conclusion Nail "remember me" in java servlet request apps by securing session cookies with DB tokens, fixing filter loops via REQUEST dispatchers and getSession(true), and redirecting post-login for clean flows. Your null session vanishes with these tweaks—deploy, test browser restarts, and enjoy stay logged in that just works. Prioritize hashing/rotation for prod; it'll handle real traffic without hiccups.