DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191 Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented? ------- Additional Comments From [EMAIL PROTECTED] 2002-01-04 09:03 ------- Here is what I plan to do: Add the following to JR.p automatic.logon.enable true/false automatic.logon.expires [life of auto login] automatic.logon.domain [of the cookie - needed? or use getServer()] There will be 2 cookies on the user machine, one with the user id in plain text and one with a random id, generated each time they logon. This means that the cookie can be copied and used from machine to machine - but cannot be generated by just knowing the user id. Amend the login templates to have a "remember me" check box ala yahoo. Amend JLoginUser, if enable/user selects remember me, stores cookies. Amend EditAccount to have the "remember me" checkbox - so that a user can turn it off from that page Amend Logout to remove the cookie. Amend SessionValidator to use the cookie to log the user in - if the user id/random number on the user PC match the entries in the persistent store. Comments? Looking at the tomcat single sign on facility, it seems to be a tomcat specific feature - meaning that we would be tying jetspeed to tomcat - which I don't want to do. It also would probably mean a significant change to map the TurbineUser onto the servlet realm/principal entries - perhaps something that would be easier with Turbine3. The only advantage is that it allows for a single logon to be valid for several webapps on a server - but since Jetspeed manages multiple portlets (mini-apps), I don't think it is much of an advantage. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
