shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Les Hazlewood (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-441) Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key
Date Mon, 20 May 2013 18:31:21 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13662248#comment-13662248
] 

Les Hazlewood commented on SHIRO-441:
-------------------------------------

Good feedback Marian - thank you!
                
> Explain how "Remember Me" works under the hood and that you might want to use a custom
cipher key
> -------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-441
>                 URL: https://issues.apache.org/jira/browse/SHIRO-441
>             Project: Shiro
>          Issue Type: Documentation
>          Components: Documentation, Sample Apps
>    Affects Versions: 1.2.1
>            Reporter: Marian Seitner
>
> Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using Shiro"))
nor the the reference documentation (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated
(chapter "Authentication")) give any hints that without a custom cipher key the - publicly
available - default key will be used (defined in http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).
> Especially the statement in the tutorial is questionable: "this is all you have to do
to support 'remember me' (no config - built in!)". While true and fairly obvious to advanced
developers the potential security implications should be better explained.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message