Hi there, has anyone worked on a RememberMeManager that stores the the credentials in the database?
As far as I can tell the current CookieRememberMeManager encrypts the principal and store the encrypted value in a cookie. Identity is restored if we can decrypt the supplied cookie value from the user agent. Would it be possible to offload this to a database? Say the cookie value is just a nonce. A uuid for example. The RememberMeManager implementation must then look into the database for the nonce. If there is a matching principal it returns a successful identity. Otherwise it doesn’t. This way we could invalidate remembered sessions for some users and not for all by means of changing the cipher key. Does this make sense? Could this work? Any ideas would be appreciated. kind regards Björn
