Added some logging and moved cookie stuff to the manager

src/zall/manager/AuthenticationManager.java

@@ -8,8 +8,7 @@ import zutil.Hasher;
 import zutil.db.DBConnection;
 import zutil.log.LogUtil;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
+import javax.servlet.http.*;
 import java.sql.SQLException;
 import java.sql.Timestamp;
 import java.util.logging.Logger;
@@ -23,21 +22,27 @@ public class AuthenticationManager {
 
     public static final String SESSION_KEY_USER      = "zall_user";
     public static final String SESSION_KEY_AUTH_HASH = "zall_ueser_session_hash";
-    public static final long   SESSION_TIMEOUT       = 1000*60*60*24*3; // 3day
+    public static final long   SESSION_TIMEOUT       = 3*24*60*60*1000; // 2 day
 
+    public static final String COOKIE_KEY_USER_HASH  = "zall_auth";
+    public static final int    COOKIE_TIMEOUT        = 10*24*60*60; // 10 days
 
     /**
      * Authenticate a username and password and return the associated Uaer object
      */
-    public static User authenticate(DBConnection db, String email, String password) throws SQLException {
+    public static User authenticate(DBConnection db, String email, String password, HttpServletRequest request, HttpServletResponse response) throws SQLException {
         User user = User.load(db, email);
 
         // Valid email?
         if( user != null ){
             if (user.getPassword().equals(Hasher.MD5(password))) {
-                userAuthenticated(db, user, User.AuthType.USER_INPUT);
+                setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
                 return user;
+            } else {
+                logger.info("Incorrect password for username: " + user);
             }
+        } else {
+            logger.info("Incorrect username provided: " + user);
         }
         return null;
     }
@@ -47,24 +52,41 @@ public class AuthenticationManager {
      *
      * @return a user object or null authentications fails
      */
-    public static User authenticate(DBConnection db, HttpServletRequest request) throws SQLException{
-        String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH);
-        User user = User.loadBySessionHash(db, sessionHash);
+    public static User authenticate(DBConnection db, HttpServletRequest request, HttpServletResponse response) throws SQLException{
+        String cookieHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH);
+        if (cookieHash != null) {
+            User user = User.loadByCookieHash(db, cookieHash);
 
-        if( user != null &&
-                user.getIpHost().equals(request.getRemoteAddr()) &&
-                user.getLoginDate().getTime() + SESSION_TIMEOUT > System.currentTimeMillis()){
-            userAuthenticated(db, user, User.AuthType.COOKIE);
-            return user;
+            if (user != null) {
+                if (request.getRemoteAddr().equals(user.getIpHost()) &&
+                        user.getLoginDate().getTime() + SESSION_TIMEOUT > System.currentTimeMillis()) {
+                    setUserAuthenticated(db, user, User.AuthType.COOKIE, request, response);
+                    return user;
+                } else {
+                    logger.info("Cookie hash has expired or have incorrect ipHost: " + cookieHash);
+                }
+            } else {
+                logger.info("Cookie hash not associated with any user: " + cookieHash);
+            }
         }
         return null;
     }
 
-    private static void userAuthenticated(DBConnection db, User user, User.AuthType authType) throws SQLException {
+    private static void setUserAuthenticated(DBConnection db, User user, User.AuthType authType, HttpServletRequest request, HttpServletResponse response) throws SQLException {
         user.setLoginDate(new Timestamp(System.currentTimeMillis()));
         user.setAuthBy(authType);
+        user.setIpHost(request.getRemoteAddr());
+        user.setCookieHash(Double.toHexString(Math.random()));
         user.save(db);
-        logger.info("User(" + user.getName() + ") authenticated by " + user.getAuthBy());
+
+        setUserSession(user, request.getSession());
+        if(authType != User.AuthType.COOKIE){
+            Cookie c = new Cookie(COOKIE_KEY_USER_HASH, user.getCookieHash());
+            c.setMaxAge(COOKIE_TIMEOUT);
+            response.addCookie(c);
+        }
+
+        logger.info("User(" + user.getEmail() + ") authenticated by " + user.getAuthBy());
     }
 
     /**
@@ -88,7 +110,7 @@ public class AuthenticationManager {
             return false;
         if(!user.isEnabled())
             return false;
-        if(user.getSessionHash() == null || user.getSessionHash().isEmpty() )
+        if(user.getCookieHash() == null || user.getCookieHash().isEmpty() )
             return false;
 
         switch(user.getAuthBy()){
@@ -96,7 +118,7 @@ public class AuthenticationManager {
                 if (!user.isEmailVerified()) return false;
             case COOKIE:
                 String sessionHash = ServletUtil.getCookieValue(request.getCookies(), SESSION_KEY_AUTH_HASH);
-                return user.getSessionHash().equals(sessionHash) &&
+                return user.getCookieHash().equals(sessionHash) &&
                         user.getIpHost().equals(request.getRemoteAddr());
         }
         return false;
@@ -126,7 +148,7 @@ public class AuthenticationManager {
      * Reset the user authentication. In plain word: logout user.
      */
     public static void reset(DBConnection db, User user) throws SQLException {
-        user.setSessionHash(null);
+        user.setCookieHash(null);
         user.save(db);
     }