[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-735) remember me

berserksangr (JIRA) jira-events at jboss.com
Tue Feb 6 09:03:21 EST 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-735?page=comments#action_12352412 ] 
            
berserksangr commented on JBSEAM-735:
-------------------------------------

Posting here, as suggested by Peter on http://www.jboss.com/index.html?module=bb&op=viewtopic&t=100817

Watching comments on the new Remember me functionality I have a suggestion to replace current basic (in my opinion not sufficient) user-name-cookie approach by the following, far more secure scenario: 

Create Rembember me Cookie: 
1.1. get: username, expiryTime(optional), passwordHash(!!!), customStringToken. 
1.2. create MD5/SHA1 digest from the fields above 
1.3. Store base64-encoded username+digest value in a cookie, setting expiriation date. Send it to user. 

Validate user: 
2.1. get Cookie, decode base64-encoded value 
2.2. load user data by username 
2.3. calculate MD5/SHA1 digest from exactly these values that were used in 1.1 (getting these from retrieved-by-name user data. request etc) 
2.4. Validate if cookie is not expired
2.5. compare this newly calculated digest to the one stored with the cookie, if they match we are sure that the remember me token is valid and allow user to log in. 

The fields in point 1.1 can/should be optionally extended to secure against naive cookie-hijacking issues (hostname? etc.)

> remember me
> -----------
>
>                 Key: JBSEAM-735
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-735
>             Project: JBoss Seam
>          Issue Type: Feature Request
>          Components: Remoting
>            Reporter: Gavin King
>         Assigned To: Gavin King
>             Fix For: 1.1.6.GA
>
>
> Identity should be able to  store the user/pass in a cookie, like the Selector objects do (could Identity extend Selector??)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list