On Mon, Feb 22, 2010 at 12:17 AM, Jon Chase <[email protected]> wrote: > > First off, I understand that the view of the Shiro developers is that > remember me is not typically a good idea from a security standpoint. > > That said, I'm using the remember me functionality. :)
Actually, its not bad to use RememberMe - it is a nice feature. But RememberMe does not represent an *authenticated* user, so we need to make that distinction so Shiro users can make decisions accordingly. > Upon successful login (not remember me), my app stores some data in the > HttpSession. This data is required later for app pages to load properly. Shiro stores an encrypted version of the PrincipalCollection in the remember me cookie. Can you store that data as principals in the collection? If so, that data will be automatically saved and available when the identity is retrieved. Then you could retrieve it later from subject.getPrincipals(); This is why there can be multiple principals other than just the application's unique identifier. But you're right, this process occurs on every request until the user is properly authenticated and so it might not be the most efficient mechanism - it might be good to provide a callback or event to react to this. Could you please open a Jira feature request if you'd like this? In the meantime, the best place for logic like this is probably the SubjectFactory implementation - you're basically editing Subject state based on when the instance is created. You'll probably want to subclass DefaultSubjectFactory or DefaultWebSubjectFactory depending on your environment. Let us know if this is ok or if you have other ideas that might better reflect your environment - we're certainly open. Regards, Les
