DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191 Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented? ------- Additional Comments From [EMAIL PROTECTED] 2001-10-16 02:39 ------- comments from Santiago: So, the best thing would be to write a SessionValidator action that behaves slightly different that the one that we have now. - User has an option like Remember me in addition to Name/Password. - This option makes the system set a (more or less permanent) cookie that is *not* traceable to the password. It could be a hash of username/password or else something truly random to be stored as User.setPerm( ... ) This is due to the incredible amount of security issues if the password can be deduced from the cookie. Anybody could fake the cookie and log in as the user. - When a session gets validated, if a cookie is present, the Validator will look what user it belongs to, and log this user in if it equals the User.getPerm() info. An option somewhere to remove the cookie would be interesting also. Still, even if the password cannot be retrieved from the cookie, the cookie can be faked and copied to a different browser to have login. But, at least, an attempt to change password will be logged. This is inherently un-secure, but I think that if the password cannot be retrieved from the cookie, the behaviour can be considered reasonable in some environments. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
