I have a little bit of a problem understanding cookies,session and authentication in a java web app.
Basically I have an authentication class, to an object of which my servlet gives the request object, and it is responsible to return true or false depending on whether the user has logged in or not.
So, every time a user logs in, I will create a big random string, and i will give it as a value to the response.cookie and also to the session object as an attribute, is that right? An when that user makes an other request, i will compare the cookie he just sent me to the cookie of his session to see if it is the same, and then he will be authenticated, right?
Maybe I say wrong things here, that's why I want someone to explain me if the authentication of a user is the above process or where i am mistaken.
thank you