Hi. Right now I am using the default AES key for the RememberMe token, described here: https://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/AbstractRememberMeManager.html <https://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/AbstractRememberMeManager.html>
We consider the username to be sensitive information, however, so I want to avoid using the default, and read about one technique for doing so here: http://balusc.blogspot.sg/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#RememberMe <http://balusc.blogspot.sg/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#RememberMe> I am thinking of using a randomized key, by generating a new random key each time the application starts. This would make old tokens unusable at each restart, but that should be rare enough not to cause much inconvenience. (I suppose I could also store the keys somewhere secure and rotate then at appropriate time intervals to reduce the inconvenience, but that adds a lot of unnecessary complexity for our purpose.) The simplest way I have thought of doing this is by just having the getInstance() method of a class return a new random key, and loading it via shiro.ini: Is there a simpler or better way of doing this? Are there any problems to watch out for? Also, are there any other default keys in Shiro that I should maybe pay attention to? Thanks. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-tp7579078.html Sent from the Shiro User mailing list archive at Nabble.com.
