portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Spencer <pau...@apache.org>
Subject Re: DO NOT REPLY [Bug 4191] - Cookie-based Authorized Sessions / How can the user automatically login using a cookie? - implemented?
Date Fri, 04 Jan 2002 17:33:56 GMT


bugzilla@apache.org wrote:

> ------- Additional Comments From kimptoc_mail@yahoo.com  2002-01-04 09:03 -------
> Here is what I plan to do:
> 
> Add the following to JR.p
> automatic.logon.enable true/false


Default = false


> automatic.logon.expires [life of auto login]


Default = 1 month


> automatic.logon.domain [of the cookie - needed? or use getServer()]


If not present or equal "", then use getServer(). 
Default value = ""


> 
> There will be 2 cookies on the user machine, one with the user id in plain text
> and one with a random id, generated each time they logon.  This means that the 
> cookie can be copied and used from machine to machine - but cannot be generated 
> by just knowing the user id.
> 
> Amend the login templates to have a "remember me" check box ala yahoo.
> Amend JLoginUser, if enable/user selects remember me, stores cookies.
> Amend EditAccount to have the "remember me" checkbox - so that a user can turn 
> it off from that page
> Amend Logout to remove the cookie.
> Amend SessionValidator to use the cookie to log the user in - if the user 
> id/random number on the user PC match the entries in the persistent store.


Are you extending the Turbine user class to store the random number?  I think

this is a good place since it will survive a restart and all of the user 
information is currently in this class.


> 
> Comments?
> 
> Looking at the tomcat single sign on facility, it seems to be a tomcat specific 
> feature - meaning that we would be tying jetspeed to tomcat - which I don't 
> want to do.  It also would probably mean a significant change to map the 
> TurbineUser onto the servlet realm/principal entries - perhaps something that 
> would be easier with Turbine3.  The only advantage is that it allows for a 
> single logon to be valid for several webapps on a server - but since Jetspeed 
> manages multiple portlets (mini-apps), I don't think it is much of an advantage.
> 

Paul Spencer




--
To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>


Mime
View raw message