> I think I found a bug in MyFormAuthenticator. In line 147 remember me is > set > to "false" if it is not checked on the login page:
OK, now I understand it.. it isn't a bug but the PersistentLoginManager is also used just for session cookies..Kind of misleading naming and variable values (rememberme = "false"). I'm my opinion that's kind of a security flaw. The password is send with each request to the server. That shouldn't happen. OK, it's encrypted and the key can be changed in xwiki.cfg but who does that!? Or is that key generated somehow randomly? I didn't looked into that. Another weakness is that passwords are stored in clear-text in the DB. That's normally considered as a no-go. Only password hashes (with salts) should be stored in the DB. Anyway, the current scheme is causes problems for authentication methods where no password is involved, like in OpenID. How should I address that? The simplest thing would be to automatically create a (random) password for those accounts. Otherwise I think I'll have to change quite a lot. My other question is still open :-) ------%<----------------------- My next question is how I can add a "openid_identifier" property to the XWikiUsers class as a "XClass" as proposed by Sergiu: > I wouldn't add a new property to the XWikiUsers class; this leads to very > thick classes, like > XWikiPreferences, with properties used only in specific cases. I'd rather > add a new XClass, for > example XWiki.OpenIdAccount, and user profiles will have this kind of > objects attached. I didn't found any information on that. How is that done? How can I then search for the user with a specific OpenID identifier? _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
