You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Marian Seitner (JIRA)" <ji...@apache.org> on 2013/05/20 15:35:20 UTC

[jira] [Created] (SHIRO-441) Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key

Marian Seitner created SHIRO-441:
------------------------------------

             Summary: Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key
                 Key: SHIRO-441
                 URL: https://issues.apache.org/jira/browse/SHIRO-441
             Project: Shiro
          Issue Type: Documentation
          Components: Documentation, Sample Apps
    Affects Versions: 1.2.1
            Reporter: Marian Seitner


Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using Shiro")) nor the the reference documentation (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated (chapter "Authentication")) give any hints that without a custom cipher key the - publicly available - default key will be used (defined in http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).

Especially the statement in the tutorial is questionable: "this is all you have to do to support 'remember me' (no config - built in!)". While true and fairly obvious to advanced developers the potential security implications should be better explained.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira