Hello developers, since quite long I see that XWiki has the practice of a cookie that says the username (and password) encrypted. The way to encrypt the username seems a "simple" cipher that would be fairly easy to share, provided the key is shared of course.
I am considering to use this for the purpose of recognizing the authenticity of a request to another web-application. I am thinking a simple servlet-filter would be able to do most of the authentication services, provided the user is logged in into xwiki (and the cookie-path makes /blabla also receive the cooke). But there are two questions: - is this encryption recognizable as signed? (i.e. can someone without the key generate an encrypted username?) - is this practice expected to last? If yes to both, it would be interesting to share a servlet filter (or even Apache module) that would do this recognition and indicate the recognized user-principals. Maybe that was done already? thanks in advance Paul _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
