[
https://issues.apache.org/jira/browse/CLEREZZA-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805101#action_12805101
]
Reto Bachmann-Gmür commented on CLEREZZA-44:
--------------------------------------------
It seems like this describes two separate issues, I agree with the first one,
that cookie should by deffault expire (even though I'd like to see a check box
"keep me logged in").
As for the second issue: Cookie login isn't offering more security than basic
authentication, even if we would scramble the password this wouldn't increase
security as the scrambled password would be enough for the attacker to log in.
It could even be a danger as it makes the user think that his password is
somehow safe while it fact it isn't. What might be possible is to encode the
password together with IP and/or Date, this could produce an authentication
token only valid for request (apparently) coming from a certain IP and only
valid within a certain period, the latter would compromise the "keep me loged
in feature".
> Change cookie-based authentication
> ----------------------------------
>
> Key: CLEREZZA-44
> URL: https://issues.apache.org/jira/browse/CLEREZZA-44
> Project: Clerezza
> Issue Type: New Feature
> Reporter: Marco Zaugg
>
> Authentication cookie should expire after browser session ends. Furthermore,
> encode login credentials instead of showing them as plain text.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
