Return-Path: Delivered-To: apmail-incubator-clerezza-dev-archive@minotaur.apache.org Received: (qmail 50983 invoked from network); 26 Jan 2010 17:14:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Jan 2010 17:14:57 -0000 Received: (qmail 6572 invoked by uid 500); 26 Jan 2010 17:14:57 -0000 Delivered-To: apmail-incubator-clerezza-dev-archive@incubator.apache.org Received: (qmail 6541 invoked by uid 500); 26 Jan 2010 17:14:57 -0000 Mailing-List: contact clerezza-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: clerezza-dev@incubator.apache.org Delivered-To: mailing list clerezza-dev@incubator.apache.org Received: (qmail 6527 invoked by uid 99); 26 Jan 2010 17:14:57 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2010 17:14:57 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2010 17:14:55 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 98103234C4B2 for ; Tue, 26 Jan 2010 09:14:34 -0800 (PST) Message-ID: <461844913.41431264526074621.JavaMail.jira@brutus.apache.org> Date: Tue, 26 Jan 2010 17:14:34 +0000 (UTC) From: =?utf-8?Q?Reto_Bachmann-Gm=C3=BCr_=28JIRA=29?= To: clerezza-dev@incubator.apache.org Subject: [jira] Commented: (CLEREZZA-44) Change cookie-based authentication In-Reply-To: <1401583734.1261131678201.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CLEREZZA-44?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D128= 05101#action_12805101 ]=20 Reto Bachmann-Gm=C3=BCr commented on CLEREZZA-44: -------------------------------------------- It seems like this describes two separate issues, I agree with the first on= e, that cookie should by deffault expire (even though I'd like to see a che= ck box "keep me logged in"). As for the second issue: Cookie login isn't offering more security than bas= ic authentication, even if we would scramble the password this wouldn't in= crease security as the scrambled password would be enough for the attacker = to log in. It could even be a danger as it makes the user think that his pa= ssword is somehow safe while it fact it isn't. What might be possible is to= encode the password together with IP and/or Date, this could produce an au= thentication token only valid for request (apparently) coming from a certai= n IP and only valid within a certain period, the latter would compromise th= e "keep me loged in feature". > Change cookie-based authentication > ---------------------------------- > > Key: CLEREZZA-44 > URL: https://issues.apache.org/jira/browse/CLEREZZA-44 > Project: Clerezza > Issue Type: New Feature > Reporter: Marco Zaugg > > Authentication cookie should expire after browser session ends. Furthermo= re, encode login credentials instead of showing them as plain text. --=20 This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.