Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
Thanks in advance,
Hi Mariano,
Quick question, has anyone ever implemented a kind of Remember Me On This Computer feature in Seaside? If so, any guidelines or code share? :)
Thanks in advance,
I have. It has been a while, so I don't remember the details but it was simple. Create a cookie at a point in time when you have the info you want to remember, with whatever info you want to remember. Read the cookie when things start. No cookie - nothing to remember, cookie - use whatever you wanted to remember.
Lou ----------------------------------------------------------- Louis LaBrunda Keystone Software Corp. SkypeMe callto://PhotonDemon mailto:Lou@Keystone-Software.com http://www.Keystone-Software.com
On 21 Sep 2015, at 15:53, Mariano Martinez Peck marianopeck@gmail.com wrote:
Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
HTH,
Sven
Thanks in advance,
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe sven@stfx.eu wrote:
On 21 Sep 2015, at 15:53, Mariano Martinez Peck marianopeck@gmail.com
wrote:
Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On
This Computer” feature in Seaside? If so, any guidelines or code share? :)
I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
Hi Sven, but where are the tokes persisted in client side?
In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-...
But don't know how hard would be to implement that in Pharo/Seaside.
Thoughts?
Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
HTH,
Sven
Thanks in advance,
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
On 23 Sep 2015, at 19:45, Mariano Martinez Peck marianopeck@gmail.com wrote:
On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe sven@stfx.eu wrote:
On 21 Sep 2015, at 15:53, Mariano Martinez Peck marianopeck@gmail.com wrote:
Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
Hi Sven, but where are the tokes persisted in client side?
In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-...
But don't know how hard would be to implement that in Pharo/Seaside.
Thoughts?
Well, I do what is called 'Persistent Authentication Tokens' in the article.
The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway.
But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement.
It is all pretty easy, using a cookie.
Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
HTH,
Sven
Thanks in advance,
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
On Wed, Sep 23, 2015 at 3:08 PM, Sven Van Caekenberghe sven@stfx.eu wrote:
On 23 Sep 2015, at 19:45, Mariano Martinez Peck marianopeck@gmail.com
wrote:
On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe sven@stfx.eu
wrote:
On 21 Sep 2015, at 15:53, Mariano Martinez Peck marianopeck@gmail.com
wrote:
Hi guys,
Quick question, has anyone ever implemented a kind of “Remember Me On
This Computer” feature in Seaside? If so, any guidelines or code share? :)
I guess it is normally implemented by storing a cookie, when you see the
cookie back, you allow a login without further questions. That is a dangerous feature ;-)
I have it implemented, using tokens limited to a week or two, and with
cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
Hi Sven, but where are the tokes persisted in client side?
In my case, using the plain strategy of cookies is too insecure. I was
taking a look to this articule which seems much better:
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-...
But don't know how hard would be to implement that in Pharo/Seaside.
Thoughts?
Well, I do what is called 'Persistent Authentication Tokens' in the article.
Indeed, I was planning to do that as well. I guess its not that easy for you share the code as an example, is it? Like one of your always super cool posts :)
The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway.
Yeah, the timing attack looked like a bit too much for me as well.
But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement.
yes, it doesn't look more complciated
It is all pretty easy, using a cookie.
Most browsers remember and autofill username/password fields, it works
for my Seaside apps. That should be enough and is much safer.
HTH,
Sven
Thanks in advance,
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
-- Mariano http://marianopeck.wordpress.com _______________________________________________ seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
seaside mailing list seaside@lists.squeakfoundation.org http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
seaside@lists.squeakfoundation.org
-
Louis LaBrunda -
Mariano Martinez Peck -
Sven Van Caekenberghe