remember-me

PHP “Remember Me” security flaw?

自古美人都是妖i 提交于 2019-12-04 17:32:22
问题 I'm in the middle of coding a 'remember me'-equipped login form, and so far the tutorials I've read (partly to make sure I'm doing it right) all say to store the encrypted password in a cookie along with the username. Then, each time PHP checks if the current user is not logged in, check their cookies and look for those values. If the username matches the password, you're in. To me, this is a gaping security hole. If somebody were to hack the database or somehow get access to the encrypted

Spring Security - Remember Me Authentication Error

眉间皱痕 提交于 2019-12-04 12:13:21
We are using Spring MVC and are encountering the following issue related to Remember Me authentication: User logs in with "Remember Me" checked, works properly, persistent_login table is updated as expected We restart the app server, perhaps after a deploy, etc User refreshes page, we see the error msg in Figure 1, user is redirected to login page (does not see error) Despite error, persistent_login entry token has updated (series remains the same as prior to refresh), spring Remember Me token remains same as well. User refreshes page a second time, they are logged in like nothing ever

ASP.NET Identity 2 Remember Me - User Is Being Logged Out

断了今生、忘了曾经 提交于 2019-12-04 10:36:44
问题 I am using Identity 2.1 in my MVC5 app. I am setting the isPersistent property of the PasswordSignInAsync to true to enable 'Remember Me': var result = await SignInManager.PasswordSignInAsync(model.Username, model.Password, true, shouldLockout: false); But if I stay logged in overnight, then when I refresh the page in the morning, it logs me out and I have to sign in again. How do I prevent automatic logging out until the user manually logs out? Is it something to do with the Cookie

'Remember-me' authentication feature, does it always mean 'Unsecure' Website?

好久不见. 提交于 2019-12-04 08:33:06
问题 I'm considering to implement the classic 'remember-me' checkbox on my webapp to allow the authenticated user to be 'remembered' once he returns to visit my website. Gmail, Facebook and others have this kind of feature but I'm not too sure how secure it can be. A Java Framework like Spring Security uses an 'Hash-Based Token Approach'. The token that gets generated (using username,password,expirationTime and a privateKey) is stored in the Client's Cookies 'token=567whatever567'. The token is

remember_me with warden

有些话、适合烂在心里 提交于 2019-12-04 07:03:20
For my lastest project I'm using https://github.com/hassox/rails_warden . It suits my needs very well except that I can't find a good way to implement remember_me. I know that it's notoriously difficult to get remember_me right from a security point of view so I'm hoping there's a project out there that will do the job. Anyone seen anything or get a good idea? Devise , which is an authentication solution on top of Warden, has a rememberable implementation. Macario Ok here's how I solved it # User model must have remember_token attribute # in config.ru use Rack::Cookies run MyApp # in lib

MVC 5 ASP.NET Identity 2: Capture user's preference for “remember me” in ExternalLogin

夙愿已清 提交于 2019-12-04 04:43:57
问题 I am using the Identity 2.0 Sample. I get that by setting isPersistent to true in ExternalLoginCallback action method, the browser will automatically log the user in the next time (within limits) they visit using the same browser. I know that if the user's "remember me" preference was captured and passed to the ExternalLogin action method that it could be put into returnUrl and accessed in ExternalLoginCallback. But how do I get their preference to the ExternalLogin action method? I don't get

Save login details(preferences) android

主宰稳场 提交于 2019-12-03 21:25:36
问题 I have one android app with login, logout functions. The login form contains Username and password and the login button. I want to save the username and the password when the user checks the "Remember me" check box. My project.java file is shown below: public class project extends Activity { private static final int IO_BUFFER_SIZE = 4 * 1024; /** Called when the activity is first created. */ public int user_id,current_user_id; public String access_token,username,current_username; public

FOSUserBundle and remember me

时光总嘲笑我的痴心妄想 提交于 2019-12-03 13:38:45
问题 I'm using a FOSUserBundle for authentication in Symfony2. Everything works fine except "remember me". My security.yml looks like this: security: providers: fos_userbundle: id: fos_user.user_manager encoders: 'FOS\UserBundle\Model\UserInterface': sha512 firewalls: main: pattern: ^/ form_login: provider: fos_userbundle logout: true anonymous: true remember_me: key: aSecretKey lifetime: 3600 path: / domain: ~ access_control: - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^

Spring Security RememberMe Services with Session Cookie

£可爱£侵袭症+ 提交于 2019-12-03 13:23:38
问题 I am using Spring Security's RememberMe Services to keep a user authenticated. I would like to find a simple way to have the RememberMe cookie set as a session cookie rather than with a fixed expiration time. For my application, the cookie should persist until the user closes the browser. Any suggestions on how to best implement this? Any concerns on this being a potential security problem? The primary reason for doing so is that with a cookie-based token, any of the servers behind our load

SpringSecurity3.X的remember-me

这一生的挚爱 提交于 2019-12-03 13:06:02
在SpringSecurity中配置remember-me时,遇到这样的问题,remember-me没有起作用,按照官方文档的讲解,只需要在<http>中增加<remember-me />配置,并在login.jsp中增加如下代码即可: <input id="_spring_security_remember_me" name="_spring_security_remember_me" type="checkbox" value="true"/> 简要说明一下SpringSecurity的登录过程: UsernamePasswordAuthenticationFilter :获得用户提交的用户名和密码信息 -->UserDetailsService :由其封装用户对象 -->AbstractUserDetailsAuthenticationProvider :转由其进行密码和权限验证,验证通过后封装一个Authentication -->ProviderManager:会将Authentication封装到SecurityContext中(默认情况下,ProviderManager会在认证成功后清除掉Authentication的密码信息,但会保留用户名称) -->AbstractRememberMeServices :判断请求参数中是否包含_spring_security
订阅 remember-me