11:23 p.m.
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they have
selected the "Remember Me" service rather than have him or her re-enter their
password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:27 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=comments#action_12353435 ]
H T commented on JBSEAM-863:
----------------------------
Easy implementation taken from Acegi:
http://acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisec...
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:55 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=comments#action_12353437 ]
Christian Bauer commented on JBSEAM-863:
----------------------------------------
This is breaking the "never trust the client" model that every public web
application should follow and opens up lots of possibilities for XSS attacks.
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:45 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=comments#action_12353441 ]
Jack Cox commented on JBSEAM-863:
---------------------------------
I agree, never trust the client, but if a secure hash is used to
hash[user+expiry+password] then the password is not kept on the system, instead a
non-recoverable version of it is. If a secure hash (like SHA-256, SHA-1 or MD5 [which has
some issues]) is stored in the cookie it would take some extensive work (like searching an
answer space that is 2^69 big on SHA-1). The inclusion of the expiry time in the hash
prevents it from being attacked with a dictionary attack because the salt adds sufficient
randomness. On average the attacker would need to compute 2^68 secure hashes, that will
take a while.
Also, for useful features like site personalization, having the user re-enter their
password each time they access the site would greatly detract from the value of the
feature. Most people just wouldn't use it.
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:32 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=all ]
Gavin King closed JBSEAM-863.
-----------------------------
Resolution: Won't Fix
We discussed this and decided against it. All web browsers are able to remember passwords
and match them to user ids, so remembering the user id is enough.
Note that hashing the password doesn't help, since its easy to just find the hashed
value in the cookies and send that to the server.
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:34 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=comments#action_12353450 ]
Gavin King commented on JBSEAM-863:
-----------------------------------
ie. you dont need to find the password. knowing the hashed password is enough.
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: JBoss Seam
Issue Type: Feature Request
Components: Security
Reporter: H T
Fix For: 1.1.7.GA
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:40 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-863) Remember-Me automatic authentication
[ http://jira.jboss.com/jira/browse/JBSEAM-863?page=comments#action_12412989 ]
Stephen Friedrich commented on JBSEAM-863:
------------------------------------------
Follow-up: JBSEAM-2079
Remember-Me automatic authentication
------------------------------------
Key: JBSEAM-863
URL: http://jira.jboss.com/jira/browse/JBSEAM-863
Project: Seam
Issue Type: Feature Request
Components: Security
Reporter: Hung Tang
Fix For: 1.1.7.CR1
Extend the behaviour of Remember-Me to automatically authenticate the user after they
have selected the "Remember Me" service rather than have him or her re-enter
their password each time.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5892
days inactive
6346
days old
6 comments
5 participants
participants (5)
-
Christian Bauer (JIRA) -
Gavin King (JIRA)
-
H T (JIRA)
-
Jack Cox (JIRA)
-
Stephen Friedrich (JIRA)