Hi, wicket-auth-roles' SignInPanel rememberMe functionality is broken at the moment (https://issues.apache.org/jira/browse/WICKET-5855).
The reason is that now the crypt key is saved in the Session. When a user comes back a new session with a new key is created and it is not possible to decrypt the saved cookie so the automatic login doesn't work. AFAIS the only way this functionality to work is to use a stable crypt key. This key should be something private to the project though. Otherwise if an attacker knows the key and is able to read the value of the cookie then (s)he will be able to decrypt it and will have the user's credentials. The only both stable and still custom to the application String that could be used as a key is the application name. In branch 'WICKET-5855-fix-rememberMe' I've made a change that uses it and fixes the problem. Another solution is to add a second parameter to DefaultAuthenticationStrategy constructor and make it so that the application should configure the authentication strategy explicitly instead of having a default configured by Wicket. This way the application developer will have to set a custom key. Do you have other ideas ? Martin Grigorov Freelancer, available for hire! Wicket Training and Consulting https://twitter.com/mtgrigorov
