We could store a uniquely generated key in the file system. Would be a bummer if that got wiped, but then it is only used for the stored cookies, right? Worst case when the file system is nuked it will cause everybody to have to log in again.
Martijn On Fri, Mar 27, 2015 at 9:29 PM, Martin Grigorov <[email protected]> wrote: > Hi, > > wicket-auth-roles' SignInPanel rememberMe functionality is broken at the > moment (https://issues.apache.org/jira/browse/WICKET-5855). > > The reason is that now the crypt key is saved in the Session. When a user > comes back a new session with a new key is created and it is not possible > to decrypt the saved cookie so the automatic login doesn't work. > > AFAIS the only way this functionality to work is to use a stable crypt key. > This key should be something private to the project though. Otherwise if an > attacker knows the key and is able to read the value of the cookie then > (s)he will be able to decrypt it and will have the user's credentials. > > The only both stable and still custom to the application String that could > be used as a key is the application name. In branch > 'WICKET-5855-fix-rememberMe' I've made a change that uses it and fixes the > problem. > > Another solution is to add a second parameter > to DefaultAuthenticationStrategy constructor and make it so that the > application should configure the authentication strategy explicitly instead > of having a default configured by Wicket. This way the application > developer will have to set a custom key. > > Do you have other ideas ? > > Martin Grigorov > Freelancer, available for hire! > Wicket Training and Consulting > https://twitter.com/mtgrigorov -- Become a Wicket expert, learn from the best: http://wicketinaction.com
