I think this won't work for cluster deployment. In that case each server will have its own key. Next time the user comes it may be served by a different machine ...
Martin Grigorov Freelancer, available for hire! Wicket Training and Consulting https://twitter.com/mtgrigorov On Sun, Mar 29, 2015 at 12:20 PM, Martijn Dashorst < [email protected]> wrote: > We could store a uniquely generated key in the file system. Would be a > bummer if that got wiped, but then it is only used for the stored > cookies, right? Worst case when the file system is nuked it will cause > everybody to have to log in again. > > Martijn > > > On Fri, Mar 27, 2015 at 9:29 PM, Martin Grigorov <[email protected]> > wrote: > > Hi, > > > > wicket-auth-roles' SignInPanel rememberMe functionality is broken at the > > moment (https://issues.apache.org/jira/browse/WICKET-5855). > > > > The reason is that now the crypt key is saved in the Session. When a user > > comes back a new session with a new key is created and it is not possible > > to decrypt the saved cookie so the automatic login doesn't work. > > > > AFAIS the only way this functionality to work is to use a stable crypt > key. > > This key should be something private to the project though. Otherwise if > an > > attacker knows the key and is able to read the value of the cookie then > > (s)he will be able to decrypt it and will have the user's credentials. > > > > The only both stable and still custom to the application String that > could > > be used as a key is the application name. In branch > > 'WICKET-5855-fix-rememberMe' I've made a change that uses it and fixes > the > > problem. > > > > Another solution is to add a second parameter > > to DefaultAuthenticationStrategy constructor and make it so that the > > application should configure the authentication strategy explicitly > instead > > of having a default configured by Wicket. This way the application > > developer will have to set a custom key. > > > > Do you have other ideas ? > > > > Martin Grigorov > > Freelancer, available for hire! > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com >
