tags:

views:

323

answers:

1

I am writing a web app (servlet / JSP on tomcat) and wanted to know best practices / experiences for user management (logins and registration)

I am more insterested in

database design security issues (how to store the password on the server and how to send the password from the cline tover https) common mistakes

etc

Thanks --Jatin

+1  A: 

When the user creates their password, you want to create a hash of that password (with some salt) and store the hash.

You should not be able to retrieve the password to send to the user. You should only be able to verify a user's input against the stored hash.

If a user forgets their password, you can provide them a link to reset their password, but it is bad practice to send the user their password.

Nebakanezer