[Seaside] "Remember me" in Seaside

Sven Van Caekenberghe sven at stfx.eu
Tue Mar 11 19:27:36 UTC 2014 

What I do (and the part that I described in the message) was to remember the *username*, **not** the password, as a convenience for the user to log in faster (something that most browsers can do too, with the password even). I think that is always safe.

The other functionality (maybe that is what your were asking for) is to keep the user really logged in for a longer time (say days or weeks) even when the session expires.

That I have not yet done with the (mobile) Seaside app that I am currently working on, but I plan to do it (although it will be hard(er) in Seaside because explicit/annotated URLs are needed I think).

I have done it in another mobile web app, and it is indeed quite tricky to do. What I did, if I remember correctly, was to generate a hard to guess token that is the value of the cookie. These tokens are then kept in a table on the server where the critical data to restart the session, like username/password is stored. 

Indeed, someone stealing the cookie in transit can then login, but the same is true for a regular login using username/password. The only modern solution is to always use HTTPS.

Another thing that I tried was 'user agent finger printing': remembering some (header) properties of the user agent and then enforce them, but this is hard to do reliably.

On 11 Mar 2014, at 20:03, Esteban A. Maringolo <emaringolo at gmail.com> wrote:

> But what if I spoof the cookie with a particular username?
> 
> There should be a server side session whitelist, and a shared token.
> Shouldn't it?
> 
> Regards!
> Esteban A. Maringolo
> 
> 
> 2014-03-11 8:10 GMT-03:00 Sven Van Caekenberghe <sven at stfx.eu>:
>> I do it with my own cookie, very easy to do:
>> 
>> "before showing the username"
>> 
>> (self requestContext request cookieAt: self loginUsernameCookieKey)
>>  ifNotNil: [ :cookie | username := cookie value ]
>> 
>> "after a successful login"
>> 
>> self requestContext response addCookie: self loginUsernameCookie.
>> 
>> where
>> 
>> loginUsernameCookie
>>  ^ self requestContext newCookie
>>      key: self loginUsernameCookieKey;
>>      value: self username;
>>      expireIn: 1 year;
>>      yourself
>> 
>> HTH,
>> 
>> Sven
>> 
>> On 11 Mar 2014, at 09:39, Torsten Bergmann <astares at gmx.de> wrote:
>> 
>>> Any code to share for a "remember me" functionality on logins?
>>> Is there a common pattern on how to do it?
>>> 
>>> Thx
>>> T.
>>> _______________________________________________
>>> seaside mailing list
>>> seaside at lists.squeakfoundation.org
>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>> 
>> _______________________________________________
>> seaside mailing list
>> seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the seaside mailing list