You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Richard Bradley (JIRA)" <ji...@apache.org> on 2016/02/25 18:09:18 UTC
[jira] [Comment Edited] (SHIRO-441) Explain how "Remember Me" works
under the hood and that you might want to use a custom cipher key
[ https://issues.apache.org/jira/browse/SHIRO-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15167453#comment-15167453 ]
Richard Bradley edited comment on SHIRO-441 at 2/25/16 5:08 PM:
----------------------------------------------------------------
I think that using a publicly available key by default is a serious security issue and should be treated as a high priority bug.
In my opinion, Shiro should use a random key (generated at server startup) by default for "remember me" -- this will suffice for testing the feature on development machines and for demos, but will prevent people accidentally releasing Shiro into production with insecure settings.
See also:
* https://github.com/pledbrook/grails-shiro/issues/28
* http://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675
was (Author: richard.bradley):
I think that using a publically available key by default is a serious security issue and should be treated as a high priority bug.
In my opinion, Shiro should use a random key (generated at server startup) by default for "remember me" -- this will suffice for testing the feature on development machines and for demos, but will prevent people accidentally releasing Shiro into production with insecure settings.
See also:
* https://github.com/pledbrook/grails-shiro/issues/28
* http://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675
> Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key
> -------------------------------------------------------------------------------------------------
>
> Key: SHIRO-441
> URL: https://issues.apache.org/jira/browse/SHIRO-441
> Project: Shiro
> Issue Type: Documentation
> Components: Documentation, Sample Apps
> Affects Versions: 1.2.1
> Reporter: Marian Seitner
>
> Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using Shiro")) nor the the reference documentation (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated (chapter "Authentication")) give any hints that without a custom cipher key the - publicly available - default key will be used (defined in http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).
> Especially the statement in the tutorial is questionable: "this is all you have to do to support 'remember me' (no config - built in!)". While true and fairly obvious to advanced developers the potential security implications should be better explained.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)