Promptless Logins For J2EE?

Dear lazyweb,

I’m writing a J2EE (well technically JSP/Servlets but no EJBs) webapp which has two goals:

1. Secure authentication is required.  Unauthorized users shouldn’t be able to access anything except a login page.
2. Easy access for authenticated users.  ie: Don’t prompt users for their password every time they open a new browser instance and don’t time out logins.  Prompting the first time they access the system using a particular browser/computer is okay though.  Even prompting once per day would be okay though not ideal.

I realize that these goals tend to conflict to a degree – ie: it’s far more secure to log users out every so often so that if someone gets access to a machine they logged in from they don’t get access automatically. We’ll have to live with that risk and so lets just assume that the systems users are accessing the system from are secure or users are smart enough to always click logout when they’re finished.

The whole system will be run over https.

How do you do it?

You can set the session timeout to 0 and it will last forever, but a new session is created when the user opens a new browser instance so you not only have to log in again but now you have a memory leak.  As far as I can tell I have to roll my own system using a cookie that expires sometime in the next millennium and just hope no-one guesses the magical key it holds.  I’m lazy though so I’d prefer to not have to implement my own system and getting it working in a way that can leverage the features of whatever servlet container it happens to be running in would be a major bonus.