“Remember Me On This Computer” kind of feature for Seaside?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

“Remember Me On This Computer” kind of feature for Seaside?

Mariano Martinez Peck
Hi guys,

Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)   

Thanks in advance, 

--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

“Remember Me On This Computer” kind of feature for Seaside?

Louis LaBrunda
Hi Mariano,

>Quick question, has anyone ever implemented a kind of “Remember Me On This
>Computer” feature in Seaside? If so, any guidelines or code share? :)

>Thanks in advance,

I have.  It has been a while, so I don't remember the details but it was
simple.  Create a cookie at a point in time when you have the info you want
to remember, with whatever info you want to remember.  Read the cookie when
things start.  No cookie - nothing to remember, cookie - use whatever you
wanted to remember.

Lou
-----------------------------------------------------------
Louis LaBrunda
Keystone Software Corp.
SkypeMe callto://PhotonDemon
mailto:[hidden email] http://www.Keystone-Software.com

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: “Remember Me On This Computer” kind of feature for Seaside?

Sven Van Caekenberghe-2
In reply to this post by Mariano Martinez Peck

> On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote:
>
> Hi guys,
>
> Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)  

I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)

I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).

Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.

HTH,

Sven

> Thanks in advance,
>
> --
> Mariano
> http://marianopeck.wordpress.com
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: “Remember Me On This Computer” kind of feature for Seaside?

Mariano Martinez Peck


On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <[hidden email]> wrote:

> On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote:
>
> Hi guys,
>
> Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)

I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)

I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).

Hi Sven, but where are the tokes persisted in client side?
 
In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better:

But don't know how hard would be to implement that in Pharo/Seaside.

Thoughts?


Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.

HTH,

Sven

> Thanks in advance,
>
> --
> Mariano
> http://marianopeck.wordpress.com
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: “Remember Me On This Computer” kind of feature for Seaside?

Sven Van Caekenberghe-2

> On 23 Sep 2015, at 19:45, Mariano Martinez Peck <[hidden email]> wrote:
>
>
>
> On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <[hidden email]> wrote:
>
> > On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote:
> >
> > Hi guys,
> >
> > Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
>
> I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
>
> I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
>
> Hi Sven, but where are the tokes persisted in client side?
>  
> In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better:
> https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
>
> But don't know how hard would be to implement that in Pharo/Seaside.
>
> Thoughts?

Well, I do what is called 'Persistent Authentication Tokens' in the article.

The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway.

But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement.

It is all pretty easy, using a cookie.

> Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
>
> HTH,
>
> Sven
>
> > Thanks in advance,
> >
> > --
> > Mariano
> > http://marianopeck.wordpress.com
> > _______________________________________________
> > seaside mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> --
> Mariano
> http://marianopeck.wordpress.com
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: “Remember Me On This Computer” kind of feature for Seaside?

Mariano Martinez Peck


On Wed, Sep 23, 2015 at 3:08 PM, Sven Van Caekenberghe <[hidden email]> wrote:

> On 23 Sep 2015, at 19:45, Mariano Martinez Peck <[hidden email]> wrote:
>
>
>
> On Mon, Sep 21, 2015 at 11:59 AM, Sven Van Caekenberghe <[hidden email]> wrote:
>
> > On 21 Sep 2015, at 15:53, Mariano Martinez Peck <[hidden email]> wrote:
> >
> > Hi guys,
> >
> > Quick question, has anyone ever implemented a kind of “Remember Me On This Computer” feature in Seaside? If so, any guidelines or code share? :)
>
> I guess it is normally implemented by storing a cookie, when you see the cookie back, you allow a login without further questions. That is a dangerous feature ;-)
>
> I have it implemented, using tokens limited to a week or two, and with cookies limited to the current browser session (i.e. they are not persisted). I needed this to recover automagically from expired sessions. But then you need to implement annotated URLs too (at least some else you end up at the homepage all the time).
>
> Hi Sven, but where are the tokes persisted in client side?
>
> In my case, using the plain strategy of cookies is too insecure. I was taking a look to this articule which seems much better:
> https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
>
> But don't know how hard would be to implement that in Pharo/Seaside.
>
> Thoughts?

Well, I do what is called 'Persistent Authentication Tokens' in the article.

Indeed, I was planning to do that as well. 
I guess its not that easy for you share the code as an example, is it? Like one of your always super cool posts :)
 

The timing attack is really very far fetched in my opinion (remember it is a networked web app whose response time is variable anyway). DOS protection is hard anyway.

Yeah, the timing attack looked like a bit too much for me as well. 
 

But I don't see why their 'Proactively Secure Long-Term User Authentication' would be technically harder to implement.

yes, it doesn't look more complciated
 

It is all pretty easy, using a cookie.

> Most browsers remember and autofill username/password fields, it works for my Seaside apps. That should be enough and is much safer.
>
> HTH,
>
> Sven
>
> > Thanks in advance,
> >
> > --
> > Mariano
> > http://marianopeck.wordpress.com
> > _______________________________________________
> > seaside mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
>
>
> --
> Mariano
> http://marianopeck.wordpress.com
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



--

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside