More secure cookie auto-login for TF-Login

Hi all,

I've implemented a more secure cookie-based auto-login in TF-Login to
replace the existing simple and insecure cookie scheme.

  https://github.com/PierceNg/TF-Login/tree/password

To load, start with fresh Pharo 7 image:

    "First load Seaside."
    Metacello new
        baseline: 'Seaside3';
        repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
        load.
       
    "Then load TF-Login."
    Metacello new
        baseline: 'TFLogin';
        repository: 'github://PierceNg/TF-Login:password/src';
        load.

Start Test Runner to run TF-Login's tests. All 78 tests should pass. The
unit tests #testLoginLogout and #testLoginThenAutomaticLogin exercise
the cookie-based auto-login functionality.

Auto-login is also implemented in the TLTestApp demo Seaside application. See attached
screenshot of the cookie stored in Chromium upon logging into TLTestApp.

The original cookie-based auto-login stores username and the SHA1-hashed password in client
cookies. This replacement implementation is based on Paragon Initiative's blog post on
"remember me" cookies.

  https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Pierce

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside