[
https://issues.apache.org/jira/browse/SHIRO-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15168358#comment-15168358
]
Andreas Kohn commented on SHIRO-441:
------------------------------------
The pre-defined key issue relates to SHIRO-550 -- a really quick fix for the
security aspect there is not enable the remember-me functionality by default.
> Explain how "Remember Me" works under the hood and that you might want to use
> a custom cipher key
> -------------------------------------------------------------------------------------------------
>
> Key: SHIRO-441
> URL: https://issues.apache.org/jira/browse/SHIRO-441
> Project: Shiro
> Issue Type: Documentation
> Components: Documentation, Sample Apps
> Affects Versions: 1.2.1
> Reporter: Marian Seitner
>
> Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using
> Shiro")) nor the the reference documentation
> (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated
> (chapter "Authentication")) give any hints that without a custom cipher key
> the - publicly available - default key will be used (defined in
> http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).
> Especially the statement in the tutorial is questionable: "this is all you
> have to do to support 'remember me' (no config - built in!)". While true and
> fairly obvious to advanced developers the potential security implications
> should be better explained.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
