Re: [Seaside] “Remember Me On This Computer” kind of feature for Seaside?
Mariano Martinez Peck
marianopeck at gmail.com
Wed Sep 23 19:01:08 UTC 2015
On Wed, Sep 23, 2015 at 3:08 PM, Sven Van Caekenberghe <sven at stfx.eu> wrote:
>
> > On 23 Sep 2015, at 19:45, Mariano Martinez Peck <marianopeck at gmail.com>
> wrote:
> >
> >
> >
> > On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <sven at stfx.eu>
> wrote:
> >
> > > On 21 Sep 2015, at 15:53, Mariano Martinez Peck <marianopeck at gmail.com>
> wrote:
> > >
> > > Hi guys,
> > >
> > > Quick question, has anyone ever implemented a kind of “Remember Me On
> This Computer” feature in Seaside? If so, any guidelines or code share? :)
> >
> > I guess it is normally implemented by storing a cookie, when you see the
> cookie back, you allow a login without further questions. That is a
> dangerous feature ;-)
> >
> > I have it implemented, using tokens limited to a week or two, and with
> cookies limited to the current browser session (i.e. they are not
> persisted). I needed this to recover automagically from expired sessions.
> But then you need to implement annotated URLs too (at least some else you
> end up at the homepage all the time).
> >
> > Hi Sven, but where are the tokes persisted in client side?
> >
> > In my case, using the plain strategy of cookies is too insecure. I was
> taking a look to this articule which seems much better:
> >
> https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
> >
> > But don't know how hard would be to implement that in Pharo/Seaside.
> >
> > Thoughts?
>
> Well, I do what is called 'Persistent Authentication Tokens' in the
> article.
>
Indeed, I was planning to do that as well.
I guess its not that easy for you share the code as an example, is it? Like
one of your always super cool posts :)
>
> The timing attack is really very far fetched in my opinion (remember it is
> a networked web app whose response time is variable anyway). DOS protection
> is hard anyway.
>
Yeah, the timing attack looked like a bit too much for me as well.
>
> But I don't see why their 'Proactively Secure Long-Term User
> Authentication' would be technically harder to implement.
>
yes, it doesn't look more complciated
>
> It is all pretty easy, using a cookie.
>
> > Most browsers remember and autofill username/password fields, it works
> for my Seaside apps. That should be enough and is much safer.
> >
> > HTH,
> >
> > Sven
> >
> > > Thanks in advance,
> > >
> > > --
> > > Mariano
> > > http://marianopeck.wordpress.com
> > > _______________________________________________
> > > seaside mailing list
> > > seaside at lists.squeakfoundation.org
> > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> >
> > _______________________________________________
> > seaside mailing list
> > seaside at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> >
> >
> >
> > --
> > Mariano
> > http://marianopeck.wordpress.com
> > _______________________________________________
> > seaside mailing list
> > seaside at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
--
Mariano
http://marianopeck.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/seaside/attachments/20150923/35abbbe8/attachment.htm
More information about the seaside
mailing list