portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Spencer <p...@mikon.com>
Subject Re: Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Mon, 08 Oct 2001 22:06:50 GMT
Chris,
I have posted similar comments on this issues, please search the user
and developers list for additional comments and concerns.

Tomcat v4.x has added some "single sign-on" functionality.  Can this
this be used? 

Paul Spencer

Santiago Gala wrote:
> 
> Chris Kimpton wrote:
> 
> >Hi,
> >
> >This is in proposal 0005 and seems to be also mentioned in this
> >discussion:
> >
> >http://www.mail-archive.com/jetspeed-user@jakarta.apache.org/msg00704.html
> >
> >The documentation and discussions seem to imply it has not been
> >implemented - is it still a valid item?
> >
> Nobody supplied patches for it.
> 
> >
> >Let me know as I would like this facility for my project - I would
> >aim to supply a patch for it.
> >
> >I would assume that it is an optional feature that is to be turned
> >off by default.
> >
> So, the best thing would be to write a SessionValidator action that
> behaves slightly different that the one that we have now.
> 
> - User has an option like Remember me in addition to Name/Password.
> - This option makes the system set a (more or less permanent) cookie
> that is *not* traceable to the password. It could be a hash of
> username/password or else something truly random to be stored as
> User.setPerm( ... ) This is due to the incredible amount of security
> issues if the password can be deduced from the cookie. Anybody could
> fake the cookie and log in as the user.
> 
> - When a session gets validated, if a cookie is present, the Validator
> will look what user it belongs to, and log this user in if it equals the
> User.getPerm() info.
> 
> An option somewhere to remove the cookie would be interesting also.
> 
> Still, even if the password cannot be retrieved from the cookie, the
> cookie can be faked and copied to a different browser to have login.
> But, at least, an attempt to change password will be logged. This is
> inherently un-secure, but I think that if the password cannot be
> retrieved from the cookie, the behaviour can be considered reasonable in
> some environments.
> 
> >
> >
> >Regards,
> >Chris
> >
> >=====
> >Need somewhere to Live in London - http://freeflats.com
> >
> >__________________________________________________
> >Do You Yahoo!?
> >NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> >http://geocities.yahoo.com/ps/info1
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org


Mime
View raw message