3 Apr
2010
3 Apr
'10
4:47 p.m.
Hi,
is there a way to get rid of the rememberme cookie at all.
Just set rememberme_j to false does not work.
I still feel bad with this rememberme feature. It is a secury whole.
stefan bachert
__________________________________________________
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen
Massenmails.
http://mail.yahoo.com
6 Apr
6 Apr
7:51 p.m.
On 04/03/2010 04:47 PM, stefan bachert wrote:
Hi,
is there a way to get rid of the rememberme cookie at all.
Just set rememberme_j to false does not work.
You can do it, but it's not trivial.
You need to create a new class implementing
com.xpn.xwiki.user.api.XWikiAuthService (you could extend
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl or
AbstractXWikiAuthService for a start) and use a different
PersistentLoginManager instead of the current (hardcoded)
MyPersistentLoginManager which uses cookies. Then, in xwiki.cfg set the
value for xwiki.authentication.authclass to the FQN of this implementation.
You could consider one of the other authenticator methods, LDAM, NTLM,
SunSSO, headers...
I still feel bad with this rememberme feature. It is a
secury whole.
Well, it isn't such a huge whole, most of the web uses cookies for
authentication. Combined with SSL always on and with IP-bound cookies,
it's actually quite good.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
5330
days inactive
5333
days old
1 comments
2 participants
participants (2)
-
Sergiu Dumitriu -
stefan bachert