Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?

[Chris Kimpton <ki...@yahoo.com>]

Hi,

This is in proposal 0005 and seems to be also mentioned in this
discussion:

http://www.mail-archive.com/jetspeed-user@jakarta.apache.org/msg00704.html

The documentation and discussions seem to imply it has not been
implemented - is it still a valid item?

Let me know as I would like this facility for my project - I would
aim to supply a patch for it.

I would assume that it is an optional feature that is to be turned
off by default.

Regards,
Chris

=====
Need somewhere to Live in London - http://freeflats.com

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

Re: Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?

[Paul Spencer <pa...@mikon.com>]

Chris,
I have posted similar comments on this issues, please search the user
and developers list for additional comments and concerns.

Tomcat v4.x has added some "single sign-on" functionality.  Can this
this be used? 

Paul Spencer

Santiago Gala wrote:
> 
> Chris Kimpton wrote:
> 
> >Hi,
> >
> >This is in proposal 0005 and seems to be also mentioned in this
> >discussion:
> >
> >http://www.mail-archive.com/jetspeed-user@jakarta.apache.org/msg00704.html
> >
> >The documentation and discussions seem to imply it has not been
> >implemented - is it still a valid item?
> >
> Nobody supplied patches for it.
> 
> >
> >Let me know as I would like this facility for my project - I would
> >aim to supply a patch for it.
> >
> >I would assume that it is an optional feature that is to be turned
> >off by default.
> >
> So, the best thing would be to write a SessionValidator action that
> behaves slightly different that the one that we have now.
> 
> - User has an option like Remember me in addition to Name/Password.
> - This option makes the system set a (more or less permanent) cookie
> that is *not* traceable to the password. It could be a hash of
> username/password or else something truly random to be stored as
> User.setPerm( ... ) This is due to the incredible amount of security
> issues if the password can be deduced from the cookie. Anybody could
> fake the cookie and log in as the user.
> 
> - When a session gets validated, if a cookie is present, the Validator
> will look what user it belongs to, and log this user in if it equals the
> User.getPerm() info.
> 
> An option somewhere to remove the cookie would be interesting also.
> 
> Still, even if the password cannot be retrieved from the cookie, the
> cookie can be faked and copied to a different browser to have login.
> But, at least, an attempt to change password will be logged. This is
> inherently un-secure, but I think that if the password cannot be
> retrieved from the cookie, the behaviour can be considered reasonable in
> some environments.
> 
> >
> >
> >Regards,
> >Chris
> >
> >=====
> >Need somewhere to Live in London - http://freeflats.com
> >
> >__________________________________________________
> >Do You Yahoo!?
> >NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> >http://geocities.yahoo.com/ps/info1
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

Re: Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?

[Santiago Gala <sg...@hisitech.com>]

Chris Kimpton wrote:

>Hi,
>
>This is in proposal 0005 and seems to be also mentioned in this
>discussion:
>
>http://www.mail-archive.com/jetspeed-user@jakarta.apache.org/msg00704.html
>
>The documentation and discussions seem to imply it has not been
>implemented - is it still a valid item?
>
Nobody supplied patches for it.

>
>Let me know as I would like this facility for my project - I would
>aim to supply a patch for it.
>
>I would assume that it is an optional feature that is to be turned
>off by default.
>
So, the best thing would be to write a SessionValidator action that 
behaves slightly different that the one that we have now.

- User has an option like Remember me in addition to Name/Password.
- This option makes the system set a (more or less permanent) cookie 
that is *not* traceable to the password. It could be a hash of 
username/password or else something truly random to be stored as 
User.setPerm( ... ) This is due to the incredible amount of security 
issues if the password can be deduced from the cookie. Anybody could 
fake the cookie and log in as the user.

- When a session gets validated, if a cookie is present, the Validator 
will look what user it belongs to, and log this user in if it equals the 
User.getPerm() info.

An option somewhere to remove the cookie would be interesting also.

Still, even if the password cannot be retrieved from the cookie, the 
cookie can be faked and copied to a different browser to have login. 
But, at least, an attempt to change password will be logged. This is 
inherently un-secure, but I think that if the password cannot be 
retrieved from the cookie, the behaviour can be considered reasonable in 
some environments.

>
>
>Regards,
>Chris
>
>=====
>Need somewhere to Live in London - http://freeflats.com
>
>__________________________________________________
>Do You Yahoo!?
>NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
>http://geocities.yahoo.com/ps/info1
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>




---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org