portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 4191] - Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Mon, 07 Jan 2002 14:23:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4191

Cookie-based Authorized Sessions / How can the user automatically login using a cookie? -
implemented?





------- Additional Comments From kimptoc_mail@yahoo.com  2002-01-07 06:23 -------
Doh!  When I said setTemp - I meant setPerm .... for example, getUser().setPerm
("LoginCookie",aRandomNumber).

This can be accessed by getPerm/setPerm.  

I realise that neither option (using get/setPerm or extending TurbineUser) have 
been done in Jetspeed to date.  Is there a Turbine guideline that you always 
extend TurbineUser, or in situations where there is a minor extension needed, 
this can be done through the get/setPerm?  The methods are on the User 
interface, which would imply they are for public consumption.

If the SessionValidator does not find both cookies or they are invalid, then 
the user will be treated as if they had not logged in - but will be able to 
login in the standard way, by entering their username/password.

A problem I see with this, is that if a user logs in via machine A and 
says "remember me" and then logs in via machine B, again saying remember me, 
then since the LoginCookie will be reset to a new random number, the first auto-
login on machine A will become invalid.  Perhaps the LoginCookie regeneration 
should be an optional sub-feature?  It makes things a little more secure - but 
may not be relevant for all sites.

--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message