portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <sg...@hisitech.com>
Subject Re: Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Mon, 08 Oct 2001 15:57:44 GMT
Chris Kimpton wrote:

>This is in proposal 0005 and seems to be also mentioned in this
>The documentation and discussions seem to imply it has not been
>implemented - is it still a valid item?
Nobody supplied patches for it.

>Let me know as I would like this facility for my project - I would
>aim to supply a patch for it.
>I would assume that it is an optional feature that is to be turned
>off by default.
So, the best thing would be to write a SessionValidator action that 
behaves slightly different that the one that we have now.

- User has an option like Remember me in addition to Name/Password.
- This option makes the system set a (more or less permanent) cookie 
that is *not* traceable to the password. It could be a hash of 
username/password or else something truly random to be stored as 
User.setPerm( ... ) This is due to the incredible amount of security 
issues if the password can be deduced from the cookie. Anybody could 
fake the cookie and log in as the user.

- When a session gets validated, if a cookie is present, the Validator 
will look what user it belongs to, and log this user in if it equals the 
User.getPerm() info.

An option somewhere to remove the cookie would be interesting also.

Still, even if the password cannot be retrieved from the cookie, the 
cookie can be faked and copied to a different browser to have login. 
But, at least, an attempt to change password will be logged. This is 
inherently un-secure, but I think that if the password cannot be 
retrieved from the cookie, the behaviour can be considered reasonable in 
some environments.

>Need somewhere to Live in London - http://freeflats.com
>Do You Yahoo!?
>NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
>To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message