[gatein-issues] [JBoss JIRA] (GTNPORTAL-2771) Ensure that generated rememberme token is really unique

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Tue Jan 29 10:14:47 EST 2013 

    [ https://issues.jboss.org/browse/GTNPORTAL-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751085#comment-12751085 ] 

RH Bugzilla Integration commented on GTNPORTAL-2771:
----------------------------------------------------

vramik at redhat.com made a comment on [bug 887972|https://bugzilla.redhat.com/show_bug.cgi?id=887972]

I tried following scenario:
I've used jar with org.exoplatform.web.security.SimpleGeneratorCookieTokenService test class and configured jpp to use this class instead of original one.

Then I tried to log in wit rememberme checkbox checked and cookie with "rememberme1" was generated. Then I erased cookies and log in with rememberme checkbox checked again and cookie with "rememberme2" was generated.
Then I erased cookies and log in with rememberme checkbox checked again and cookie with "rememberme3" was generated and in log is: 16:06:53,727 DEBUG [org.exoplatform.web.security.SimpleGeneratorCookieTokenService] (http-/127.0.0.1:8080-2) Token rememberme2 already exists. Other token will be generated
                
> Ensure that generated rememberme token is really unique
> -------------------------------------------------------
>
>                 Key: GTNPORTAL-2771
>                 URL: https://issues.jboss.org/browse/GTNPORTAL-2771
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>            Reporter: Marek Posolda
>            Assignee: Marek Posolda
>              Labels: EPP6.0-Test-Dev
>             Fix For: 3.6.0.Final
>
>
> Currently we are generating random rememberme tokens based on random int number (random.nextInt()). In systems with millions or many thousands login, this discriminator is not enough. 
> We should improve it and fix it either by:
> 1) Ensure that generated token is really unique. In system with many logins the random number may not be unique enough, so we need to add other info (like System.currentTimeMillis() or counter or both...)
> 2) In case that token already exists, we should generate other one instead of refresh the current one.
> Maybe combination of both approaches would be best :-)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the gatein-issues mailing list