Chris Kimpton wrote: >Hi, > >This is in proposal 0005 and seems to be also mentioned in this >discussion: > >http://www.mail-archive.com/[email protected]/msg00704.html > >The documentation and discussions seem to imply it has not been >implemented - is it still a valid item? > Nobody supplied patches for it.
> >Let me know as I would like this facility for my project - I would >aim to supply a patch for it. > >I would assume that it is an optional feature that is to be turned >off by default. > So, the best thing would be to write a SessionValidator action that behaves slightly different that the one that we have now. - User has an option like Remember me in addition to Name/Password. - This option makes the system set a (more or less permanent) cookie that is *not* traceable to the password. It could be a hash of username/password or else something truly random to be stored as User.setPerm( ... ) This is due to the incredible amount of security issues if the password can be deduced from the cookie. Anybody could fake the cookie and log in as the user. - When a session gets validated, if a cookie is present, the Validator will look what user it belongs to, and log this user in if it equals the User.getPerm() info. An option somewhere to remove the cookie would be interesting also. Still, even if the password cannot be retrieved from the cookie, the cookie can be faked and copied to a different browser to have login. But, at least, an attempt to change password will be logged. This is inherently un-secure, but I think that if the password cannot be retrieved from the cookie, the behaviour can be considered reasonable in some environments. > > >Regards, >Chris > >===== >Need somewhere to Live in London - http://freeflats.com > >__________________________________________________ >Do You Yahoo!? >NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. >http://geocities.yahoo.com/ps/info1 > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
