user verification email and password (Java web,servlets)

Question

I've created a simple login web where the user enters the email and password and checks if the user and password are correct then he gets redirected to a welcome.jsp page , where it says login success , I'm checking 3 emails and passwords and creating session for each one , the problem I'm facing is that if the user enters the email or password wrong after 3 attempts he will be blocked for a certain amount of time and after the time expires he can try again , I can't think of a way of doing this , is there a way in which this could be done ?

import java.io.*;
import jakarta.servlet.http.*;
import jakarta.servlet.annotation.*;

//@WebServlet(name = "loginController", value = "/login")
@WebServlet("/HelloServlet")
public class HelloServlet extends HttpServlet {

public void doGet(HttpServletRequest request, HttpServletResponse response) throws 
IOException {
    String email = request.getParameter("email");
    String password = request.getParameter("password");
    String er = "Invalid user info";
    int attempts = 3;
    PrintWriter printWriter = response.getWriter();
    LoginBean loginBean = new LoginBean();

    loginBean.setEmail(email);
    loginBean.setPassword(password);

    try
    {
        if(email.equals("Mhamdoon4@gmail.com") && password.equals("pass001"))
        {
            System.out.println("Admin's Home");

            HttpSession session = request.getSession(); //Creating a session
            session.setAttribute("Mohammed", email); //setting session attribute
            request.setAttribute("email", email);

            request.getRequestDispatcher("welcome.jsp").forward(request, response);
        }
        else{
            attempts--;
            printWriter.println(attempts + " left");

        }
        if(email.equals("Mhamdoon6@gmail.com") && password.equals("pass0011"))
        {
            System.out.println("Editor's Home");

            HttpSession session = request.getSession();
            session.setAttribute("Ali", email);
            request.setAttribute("email", email);

            request.getRequestDispatcher("welcome.jsp").forward(request, response);
        }
        else{
            attempts--;
            printWriter.println(attempts + " left");
        }
        if(email.equals("Mhamdoon12@gmail.com") && password.equals("pass00901"))
        {
            System.out.println("User's Home");

            HttpSession session = request.getSession();
            session.setAttribute("Adam", email);
            request.setAttribute("email", email);

            request.getRequestDispatcher("welcome.jsp").forward(request, response);
        }
        else{
            attempts--;
            printWriter.println(attempts + " left");
        }
//            if()
//            {
//                System.out.println("Error message = Invalid info");
//                request.setAttribute("errMessage", er);
//
//                request.getRequestDispatcher("fail.jsp").forward(request, response);
//            }
    }
    catch (IOException e1)
    {
        e1.printStackTrace();
    }
    catch (Exception e2)
    {
        e2.printStackTrace();
    }
    }
public void destroy() {
}
}

Answer 1

The easiest way, as your example is simple (string literals checking), is keeping the attempts in the session. This way the attempts are tied up to the session (in other words, to the browser's cookies).

To set the values in the session:

request.getSession().setAttribute("loginAttempts", 3);
request.getSession().setAttribute("lastLoginAttempt", LocalDateTime.now());

To read them:

Integer attempts = (Integer) request.getSession().getAttribute("loginAttempts");
LocalDateTime lastLoginAttempt = (LocalDateTime) request.getSession().getAttribute("lastLoginAttempt");

Now you just have to play with the values, recalculate, and reset them after a successful login. The variables will be kept as long as the browser session is kept.

TL;DR;

I see that everyone who ends up here may need a bit of a briefing about requests and sessions.

You have to understand that the piece of code that goes inside de doGet or doPost is executed every time you enter the url in the browser (The int attempts = 3; from your original post is executed every time, so it will always be 3).

The server collects all the data that comes from the client's browser request and builds a brand new HttpServletRequest object that contains all the data (url, request params, cookies, ip, port, etc.) every time. Press f5? everything gets executed again with a brand new HttpServletRequest .

The way the servers use to keep a conversational state between the server and the client (browser) is through the Session. The Session is the only thing that is kept between requests. You can save variables in the Session for later (like the attempts and the lastLoginAttempt ), and rely on the Session to see if a user is successfully logged in.

And how do the server keeps the session between requests if everything gets recreated in each request? through the session cookie. The server users a normal cookie to which it gives a special value (In the Servlet specification this cookie is JSESSIONID ). When a request come without that cookie the server creates one giving it the value of a unique identifier. Next requests from the same browser will have that cookie, and the server will use the cookie to attach the session to every HttpServletRequest generated from requests from that browser. So in the brand new HttpServletRequest that is created in every request, the server injects into it the same HttpSession that was being used by the same JSESSIONID .