incubator-clerezza-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmür (JIRA) <j...@apache.org>
Subject [jira] Commented: (CLEREZZA-44) Change cookie-based authentication
Date Tue, 26 Jan 2010 17:14:34 GMT

    [ https://issues.apache.org/jira/browse/CLEREZZA-44?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805101#action_12805101
] 

Reto Bachmann-Gmür commented on CLEREZZA-44:
--------------------------------------------

It seems like this describes two separate issues, I agree with the first one, that cookie
should by deffault expire (even though I'd like to see a check box "keep me logged in").

As for the second issue: Cookie login isn't offering more security than basic authentication,
even if we would scramble the password this wouldn't  increase security as the scrambled password
would be enough for the attacker to log in. It could even be a danger as it makes the user
think that his password is somehow safe while it fact it isn't. What might be possible is
to encode the password together with IP and/or Date, this could produce an authentication
token only valid for request (apparently) coming from a certain IP and only valid within a
certain period, the latter would compromise the "keep me loged in feature".

> Change cookie-based authentication
> ----------------------------------
>
>                 Key: CLEREZZA-44
>                 URL: https://issues.apache.org/jira/browse/CLEREZZA-44
>             Project: Clerezza
>          Issue Type: New Feature
>            Reporter: Marco Zaugg
>
> Authentication cookie should expire after browser session ends. Furthermore, encode login
credentials instead of showing them as plain text.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message