[jira] Commented: (CLEREZZA-44) Change cookie-based authentication

["Reto Bachmann-Gmür (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CLEREZZA-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805101#action_12805101 ] 

Reto Bachmann-Gmür commented on CLEREZZA-44:
--------------------------------------------

It seems like this describes two separate issues, I agree with the first one, that cookie should by deffault expire (even though I'd like to see a check box "keep me logged in").

As for the second issue: Cookie login isn't offering more security than basic authentication, even if we would scramble the password this wouldn't  increase security as the scrambled password would be enough for the attacker to log in. It could even be a danger as it makes the user think that his password is somehow safe while it fact it isn't. What might be possible is to encode the password together with IP and/or Date, this could produce an authentication token only valid for request (apparently) coming from a certain IP and only valid within a certain period, the latter would compromise the "keep me loged in feature".

> Change cookie-based authentication
> ----------------------------------
>
>                 Key: CLEREZZA-44
>                 URL: https://issues.apache.org/jira/browse/CLEREZZA-44
>             Project: Clerezza
>          Issue Type: New Feature
>            Reporter: Marco Zaugg
>
> Authentication cookie should expire after browser session ends. Furthermore, encode login credentials instead of showing them as plain text.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.