Armando,
armandoxxx wrote: > > Why is is so important for you to have remember me functionality > I think "remember me" is one of the great features of Shiro. The fact that this is such a common paradigm on the web (Amazon being a typical example) means that users have learned to expect this feature from consumer-facing apps. So I think it is important as developers that we figure out how to use this feature effectively. "Remember me" is all about convenience for the end user; it is by no means a way to implement authentication. It is certainly possible for someone to forge a cookie, which is why you use remember me for personalization but not for giving access to sensitive data. My point was that applications are developed over time, and as you release new versions your security implementation under the hood is likely going to change and improve. Some of these changes might break backwards compatibility with the remember me system, as I illustrated in my example. The solution that Les suggested would allow for the system to gracefully migrate these now incompatible remember me cookies, thereby providing a seamless experience to the user: the personalization features keep working. armandoxxx wrote: > > if application changed, then users should relogin > Sure, let's say you do want to force the user to relogin after you change your implementation. This still requires some extra work. As I explained, Shiro will blindly accept a remember me cookie and place that remembered principal in the Subject even if that principal is no longer valid. In order to force the user to relogin you need subclass the RememberMeManager and hook into the deserialization process, as Les described, in order to validate and reject that principal. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-deal-with-remembered-principals-if-realm-has-since-changed-tp6009937p6010696.html Sent from the Shiro User mailing list archive at Nabble.com.
