Not everyone uses the “remember me” feature, and those who do still must re-authenticate after some period of time for security reasons. As I said before, Google recommended use of the Wave Data API, which bypasses this issue.
—Zachary “Gamer_Z.” Yaro On Sat, Apr 21, 2012 at 17:13, Ali Lown <a...@lown.me.uk> wrote: > I was assuming that since Google's apps have the ability to remember > the login state across browser sessions (through the 'remember me' > feature) the notifier would be able to bypass full-authentication at > the start of every browser session, instead using the 'remember me' > credentials which don't need the login form to be displayed. > > On 21 April 2012 22:08, Zachary “Gamer_Z.” Yaro <zmy...@gmail.com> wrote: > > I am familiar with that extension, having forked it after the original > > developer abandoned the project. It was created before the Gwave data > API > > existed, so I am pretty sure it required the user to be logged in. I > think > > the “proper” way to create a wave notifier extension (and the way Google > > made its extension) is using the data API. > > > > —Zachary “Gamer_Z.” Yaro > > > > > > On Sat, Apr 21, 2012 at 17:03, Yuri Z <vega...@gmail.com> wrote: > > > >> Yep. Do you think it wasn't the case for Google Wave Notifier? > >> > >> On Sat, Apr 21, 2012 at 11:05 PM, Ali Lown <a...@lown.me.uk> wrote: > >> > >> > >> @Yuri: > >> > >> If we wanted to add the ability to 'remember me' for the logins > how do > >> > >> we want to ensure sessions aren't hijacked? The obvious way would > be > >> > >> to use a cookie with some form of unique id in, but the unique id > >> > >> shouldn't be related to the user-id otherwise it could be predicted > >> > >> and used to bypass authentication. > >> > >> > >> > >> I think the session is stored in the JSESSIONID cookie by Jetty > and > >> > > notifier can access it even if the tab was closed since it has > access > >> to > >> > > cookies on the wiab domain that is defined in manifest.json of the > >> > chrome > >> > > extension. > >> > > >> > Yes, but this still relies on the user having logged in within the > >> > current browser session (closing and reopening the browser invalidates > >> > the session ATM). > >> > > >> >
