I was assuming that since Google's apps have the ability to remember the login state across browser sessions (through the 'remember me' feature) the notifier would be able to bypass full-authentication at the start of every browser session, instead using the 'remember me' credentials which don't need the login form to be displayed.
On 21 April 2012 22:08, Zachary “Gamer_Z.” Yaro <zmy...@gmail.com> wrote: > I am familiar with that extension, having forked it after the original > developer abandoned the project. It was created before the Gwave data API > existed, so I am pretty sure it required the user to be logged in. I think > the “proper” way to create a wave notifier extension (and the way Google > made its extension) is using the data API. > > —Zachary “Gamer_Z.” Yaro > > > On Sat, Apr 21, 2012 at 17:03, Yuri Z <vega...@gmail.com> wrote: > >> Yep. Do you think it wasn't the case for Google Wave Notifier? >> >> On Sat, Apr 21, 2012 at 11:05 PM, Ali Lown <a...@lown.me.uk> wrote: >> >> > >> @Yuri: >> > >> If we wanted to add the ability to 'remember me' for the logins how do >> > >> we want to ensure sessions aren't hijacked? The obvious way would be >> > >> to use a cookie with some form of unique id in, but the unique id >> > >> shouldn't be related to the user-id otherwise it could be predicted >> > >> and used to bypass authentication. >> > >> >> > >> I think the session is stored in the JSESSIONID cookie by Jetty and >> > > notifier can access it even if the tab was closed since it has access >> to >> > > cookies on the wiab domain that is defined in manifest.json of the >> > chrome >> > > extension. >> > >> > Yes, but this still relies on the user having logged in within the >> > current browser session (closing and reopening the browser invalidates >> > the session ATM). >> > >>
