"Remember me" in Seaside

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

"Remember me" in Seaside

Torsten Bergmann
Any code to share for a "remember me" functionality on logins?
Is there a common pattern on how to do it?

Thx
T.
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Tobias Pape

On 11.03.2014, at 09:39, Torsten Bergmann <[hidden email]> wrote:

> Any code to share for a "remember me" functionality on logins?
> Is there a common pattern on how to do it?

You could enable session handling via cookies and set a high value
for the cache live span. But apart from this, not to my knowledge.


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Sven Van Caekenberghe-2
In reply to this post by Torsten Bergmann
I do it with my own cookie, very easy to do:

"before showing the username"

(self requestContext request cookieAt: self loginUsernameCookieKey)
  ifNotNil: [ :cookie | username := cookie value ]

"after a successful login"

self requestContext response addCookie: self loginUsernameCookie.

where

loginUsernameCookie
  ^ self requestContext newCookie
      key: self loginUsernameCookieKey;
      value: self username;
      expireIn: 1 year;
      yourself

HTH,

Sven

On 11 Mar 2014, at 09:39, Torsten Bergmann <[hidden email]> wrote:

> Any code to share for a "remember me" functionality on logins?
> Is there a common pattern on how to do it?
>
> Thx
> T.
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Karsten Kusche
Do as Sven suggests with Cookies.

Here’s a general approach to implement Remember-me cookies: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

Karsten

-- 
Karsten Kusche - Dipl. Inf. (FH) - [hidden email]
Georg Heeg eK - Köthen
Handelsregister: Amtsgericht Dortmund A 12812 

Am Dienstag, 11. März 2014 um 12:10 schrieb Sven Van Caekenberghe:

I do it with my own cookie, very easy to do:

"before showing the username"

(self requestContext request cookieAt: self loginUsernameCookieKey)
ifNotNil: [ :cookie | username := cookie value ]

"after a successful login"

self requestContext response addCookie: self loginUsernameCookie.

where

loginUsernameCookie
^ self requestContext newCookie
key: self loginUsernameCookieKey;
value: self username;
expireIn: 1 year;
yourself

HTH,

Sven

On 11 Mar 2014, at 09:39, Torsten Bergmann <[hidden email]> wrote:

Any code to share for a "remember me" functionality on logins?
Is there a common pattern on how to do it?

Thx
T.
_______________________________________________
seaside mailing list

_______________________________________________
seaside mailing list


_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Esteban A. Maringolo
In reply to this post by Sven Van Caekenberghe-2
But what if I spoof the cookie with a particular username?

There should be a server side session whitelist, and a shared token.
Shouldn't it?

Regards!
Esteban A. Maringolo


2014-03-11 8:10 GMT-03:00 Sven Van Caekenberghe <[hidden email]>:

> I do it with my own cookie, very easy to do:
>
> "before showing the username"
>
> (self requestContext request cookieAt: self loginUsernameCookieKey)
>   ifNotNil: [ :cookie | username := cookie value ]
>
> "after a successful login"
>
> self requestContext response addCookie: self loginUsernameCookie.
>
> where
>
> loginUsernameCookie
>   ^ self requestContext newCookie
>       key: self loginUsernameCookieKey;
>       value: self username;
>       expireIn: 1 year;
>       yourself
>
> HTH,
>
> Sven
>
> On 11 Mar 2014, at 09:39, Torsten Bergmann <[hidden email]> wrote:
>
>> Any code to share for a "remember me" functionality on logins?
>> Is there a common pattern on how to do it?
>>
>> Thx
>> T.
>> _______________________________________________
>> seaside mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Sven Van Caekenberghe-2
What I do (and the part that I described in the message) was to remember the *username*, **not** the password, as a convenience for the user to log in faster (something that most browsers can do too, with the password even). I think that is always safe.

The other functionality (maybe that is what your were asking for) is to keep the user really logged in for a longer time (say days or weeks) even when the session expires.

That I have not yet done with the (mobile) Seaside app that I am currently working on, but I plan to do it (although it will be hard(er) in Seaside because explicit/annotated URLs are needed I think).

I have done it in another mobile web app, and it is indeed quite tricky to do. What I did, if I remember correctly, was to generate a hard to guess token that is the value of the cookie. These tokens are then kept in a table on the server where the critical data to restart the session, like username/password is stored.

Indeed, someone stealing the cookie in transit can then login, but the same is true for a regular login using username/password. The only modern solution is to always use HTTPS.

Another thing that I tried was 'user agent finger printing': remembering some (header) properties of the user agent and then enforce them, but this is hard to do reliably.

On 11 Mar 2014, at 20:03, Esteban A. Maringolo <[hidden email]> wrote:

> But what if I spoof the cookie with a particular username?
>
> There should be a server side session whitelist, and a shared token.
> Shouldn't it?
>
> Regards!
> Esteban A. Maringolo
>
>
> 2014-03-11 8:10 GMT-03:00 Sven Van Caekenberghe <[hidden email]>:
>> I do it with my own cookie, very easy to do:
>>
>> "before showing the username"
>>
>> (self requestContext request cookieAt: self loginUsernameCookieKey)
>>  ifNotNil: [ :cookie | username := cookie value ]
>>
>> "after a successful login"
>>
>> self requestContext response addCookie: self loginUsernameCookie.
>>
>> where
>>
>> loginUsernameCookie
>>  ^ self requestContext newCookie
>>      key: self loginUsernameCookieKey;
>>      value: self username;
>>      expireIn: 1 year;
>>      yourself
>>
>> HTH,
>>
>> Sven
>>
>> On 11 Mar 2014, at 09:39, Torsten Bergmann <[hidden email]> wrote:
>>
>>> Any code to share for a "remember me" functionality on logins?
>>> Is there a common pattern on how to do it?
>>>
>>> Thx
>>> T.
>>> _______________________________________________
>>> seaside mailing list
>>> [hidden email]
>>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>>
>> _______________________________________________
>> seaside mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> _______________________________________________
> seaside mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
Reply | Threaded
Open this post in threaded view
|

Re: "Remember me" in Seaside

Sven Van Caekenberghe-2
In reply to this post by Karsten Kusche

On 11 Mar 2014, at 12:39, Karsten Kusche <[hidden email]> wrote:

> Here’s a general approach to implement Remember-me cookies: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

That is an excellent write up.
Thanks for sharing it.

Yes, the one-time-use and re-issue is necessary too.

_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside