portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 4191] - Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Tue, 16 Oct 2001 09:39:46 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191

Cookie-based Authorized Sessions / How can the user automatically login using a cookie? -
implemented?





------- Additional Comments From kimptoc_mail@yahoo.com  2001-10-16 02:39 -------
comments from Santiago:

So, the best thing would be to write a SessionValidator action that 
behaves slightly different that the one that we have now.

- User has an option like Remember me in addition to Name/Password.
- This option makes the system set a (more or less permanent) cookie 
that is *not* traceable to the password. It could be a hash of 
username/password or else something truly random to be stored as 
User.setPerm( ... ) This is due to the incredible amount of security 
issues if the password can be deduced from the cookie. Anybody could 
fake the cookie and log in as the user.

- When a session gets validated, if a cookie is present, the Validator 
will look what user it belongs to, and log this user in if it equals 
the 
User.getPerm() info.

An option somewhere to remove the cookie would be interesting also.

Still, even if the password cannot be retrieved from the cookie, the 
cookie can be faked and copied to a different browser to have login. 
But, at least, an attempt to change password will be logged. This is 
inherently un-secure, but I think that if the password cannot be 
retrieved from the cookie, the behaviour can be considered reasonable 
in 
some environments.

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message