Hi,
I also have an interest in automating login via cookies.
For my application, the access provided after login is only valuable to the
user; thus I prefer to let the user create thier own security requirements.
If they prefer to store authentication information in a cookie and not have
to worry about logging in, I don't mind passing the honus of securing the
cookie info on to them.
Anyway, here is my question: Where would be the preferred place to put the
cookie check (to see if the cookie exists and automatically login if
appropriate) with Turbine? I am assuming that it should be done upon a new
session, so would this be done in the SessionValidator action?
-Kevin
-----Original Message-----
From: jon [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 29, 2001 12:39 PM
To: turbine
Cc: jon
Subject: Re: Turbine & cookies
on 1/29/01 7:04 AM, "Leon Messerschmidt" <[EMAIL PROTECTED]> wrote:
>My idea is mainly to store something like a unique identifier(*not*
>password) on the client side. On the first hit of a new session the app
>will check for this id and automatically log the user in if it exists.
>
>The users of this app will generally use the system from their own
>computers
>only. We also use logging in exclusively for user preferences, and I'd
>like
>logging in to be a bit more transparent to the user.
>
>What I'm pondering at the moment is whether it would be worthwhile to add
>some utility class that manages this automatically for you in Turbine. And
>to what extend - is a general cookie utility good enough or should I go as
>far as persistent logging in over sessions?
That isn't secure as I could more easily guess your unique ID than I could
your username/password.
It is *never* a good idea to simplify this stuff for users. It is a fairly
major security risk to do so and I wouldn't want to encourage people doing
it in Turbine.
I'm sorry, but I'm going to have to put my foot down on this one. I don't
mind a class that helps with dealing with HttpSession objects (is it really
that difficult?), but I do mind a class that helps with making a potentially
insecure system.
-jon
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
