Re: [Seaside] “Remember Me On This Computer” kind of feature for Seaside?

Sven Van Caekenberghe sven at stfx.eu
Wed Sep 23 18:08:43 UTC 2015 

> On 23 Sep 2015, at 19:45, Mariano Martinez Peck <marianopeck at gmail.com> wrote:
> 
> 
> 
> On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <sven at stfx.eu> wrote:
> 
> > On 21 Sep 2015, at 15:53, Mariano Martinez Peck <marianopeck at gmail.com> wrote:
> >
> > Hi guys,
> >
> > Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
> 
> I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
> 
> I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
> 
> Hi Sven, but where are the tokes persisted in client side?
>  
> In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better:
> https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
> 
> But don't know how hard would be to implement that in Pharo/Seaside.
> 
> Thoughts?

Well, I do what is called 'Persistent Authentication Tokens' in the article.

The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway.

But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement.

It is all pretty easy, using a cookie.

> Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
> 
> HTH,
> 
> Sven
> 
> > Thanks in advance,
> >
> > --
> > Mariano
> > http://marianopeck.wordpress.com
> > _______________________________________________
> > seaside mailing list
> > seaside at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 
> 
> 
> -- 
> Mariano
> http://marianopeck.wordpress.com
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the seaside mailing list