portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 4191] - Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Fri, 04 Jan 2002 17:03:04 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191

Cookie-based Authorized Sessions / How can the user automatically login using a cookie? -
implemented?





------- Additional Comments From kimptoc_mail@yahoo.com  2002-01-04 09:03 -------
Here is what I plan to do:

Add the following to JR.p
automatic.logon.enable true/false
automatic.logon.expires [life of auto login]
automatic.logon.domain [of the cookie - needed? or use getServer()]

There will be 2 cookies on the user machine, one with the user id in plain text
and one with a random id, generated each time they logon.  This means that the 
cookie can be copied and used from machine to machine - but cannot be generated 
by just knowing the user id.

Amend the login templates to have a "remember me" check box ala yahoo.
Amend JLoginUser, if enable/user selects remember me, stores cookies.
Amend EditAccount to have the "remember me" checkbox - so that a user can turn 
it off from that page
Amend Logout to remove the cookie.
Amend SessionValidator to use the cookie to log the user in - if the user 
id/random number on the user PC match the entries in the persistent store.

Comments?

Looking at the tomcat single sign on facility, it seems to be a tomcat specific 
feature - meaning that we would be tying jetspeed to tomcat - which I don't 
want to do.  It also would probably mean a significant change to map the 
TurbineUser onto the servlet realm/principal entries - perhaps something that 
would be easier with Turbine3.  The only advantage is that it allows for a 
single logon to be valid for several webapps on a server - but since Jetspeed 
manages multiple portlets (mini-apps), I don't think it is much of an advantage.

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message