[Seaside] "Remember me" in Seaside
Sven Van Caekenberghe
sven at stfx.eu
Tue Mar 11 19:27:36 UTC 2014
What I do (and the part that I described in the message) was to remember the *username*, **not** the password, as a convenience for the user to log in faster (something that most browsers can do too, with the password even). I think that is always safe.
The other functionality (maybe that is what your were asking for) is to keep the user really logged in for a longer time (say days or weeks) even when the session expires.
That I have not yet done with the (mobile) Seaside app that I am currently working on, but I plan to do it (although it will be hard(er) in Seaside because explicit/annotated URLs are needed I think).
I have done it in another mobile web app, and it is indeed quite tricky to do. What I did, if I remember correctly, was to generate a hard to guess token that is the value of the cookie. These tokens are then kept in a table on the server where the critical data to restart the session, like username/password is stored.
Indeed, someone stealing the cookie in transit can then login, but the same is true for a regular login using username/password. The only modern solution is to always use HTTPS.
Another thing that I tried was 'user agent finger printing': remembering some (header) properties of the user agent and then enforce them, but this is hard to do reliably.
On 11 Mar 2014, at 20:03, Esteban A. Maringolo <emaringolo at gmail.com> wrote:
> But what if I spoof the cookie with a particular username?
> There should be a server side session whitelist, and a shared token.
> Shouldn't it?
> Esteban A. Maringolo
> 2014-03-11 8:10 GMT-03:00 Sven Van Caekenberghe <sven at stfx.eu>:
>> I do it with my own cookie, very easy to do:
>> "before showing the username"
>> (self requestContext request cookieAt: self loginUsernameCookieKey)
>> ifNotNil: [ :cookie | username := cookie value ]
>> "after a successful login"
>> self requestContext response addCookie: self loginUsernameCookie.
>> ^ self requestContext newCookie
>> key: self loginUsernameCookieKey;
>> value: self username;
>> expireIn: 1 year;
>> On 11 Mar 2014, at 09:39, Torsten Bergmann <astares at gmx.de> wrote:
>>> Any code to share for a "remember me" functionality on logins?
>>> Is there a common pattern on how to do it?
>>> seaside mailing list
>>> seaside at lists.squeakfoundation.org
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
> seaside mailing list
> seaside at lists.squeakfoundation.org
More information about the seaside