Yeah I thought of the security issue, it seems though quite a few PHP
sites works like that (not to mention, build-in browser functionality
which does the same kind of unsafe client side caching).
In the idiom outlined in your source code, how can the server then
re-authorize without username and password. I assume the user table then
have to include a session field that is transferred and stored upon
initial login, and which is used to match up against on successive logins?
/Casper
Jeremy Thomerson wrote:
May I answer your question with a question?
Why would you want your password field to have the value pre-filled on the
page? Then the password is in plain text available to the user (and
assuming you're not on https, anyone in between). I've never seen an
instance where this was a good idea.
If you're trying to do an auto-login, you shouldn't show the login page at
all. Pseudo code would be:
if (getYourSession().isSignedIn() == false) {
String token = getCookie(someCookieID);
if (token not null and not empty) {
User user = lookupUser(token);
if (user != null) {
getYourSession().signIn(user);
} else {
// only here would you show login page, without anything pre-filled
because
// they're not already signed in and they don't have a cookie to sign
them in
setResponsePage(YourLoginPage.class);
}
}
}
On Tue, Dec 2, 2008 at 9:26 PM, Casper Bang <[EMAIL PROTECTED]> wrote:
I'm trying to implement credentials memory functionality for a login form
using cookies. I know there's an official example (
http://wicketstuff.org/wicket13/signin2/?x=7*:org.apache.wicket.examples.signin2.SignIn2)
however it simply delegates to some panel which is not available as source
on the page. So anyway, it should be simple, and all works great except that
I can not get the password field to get filled out upon page load. In my
constructor of my panel I do the following:
Cookie credentials =
((WebRequest)getRequestCycle().getRequest()).getCookie("credentials");
remember = credentials != null;
if(remember){
String[] credentialParts = credentials.getValue().split(":");
username = credentialParts[0];
password = credentialParts[1];
}
The fields username and password of the panel are bound to the form using a
CompoundPropertyModel. When I sniff request and response headers, I can see
that indeed the cookie info is sent around fine. I guess it has to do with
security somehow, but shouldn't this be possible even if I am using a
PasswordTextField?
Thanks in advance,
Casper
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
