USER_PASSWORD in session and Rememeber Me option

Fórumok

Michal Apple, módosítva 12 év-val korábban

USER_PASSWORD in session and Rememeber Me option

New Member Bejegyzések: 11 Csatlakozás dátuma: 2012.03.01. Legújabb bejegyzések

Hello everyone,

We need to keep the password of a logged in a plain text form in a session. The reason is we are authenticating the user against third party service which requires the username and password to be sent in a plain text form. Unfortunately, we have to adapt.

I realized the user_password can be stored in a session through the configuration attributes change (using the session.store.password=true). I have successfully manage this and I can retrieve user password from the session.

My question is following. What about the remember me checkbox. It means what happens if user checks remember me then uses the portal for a while, then closes the browser (without logging out) and returns after a couple of days. The rememeber me ensures he will be still logged in. But will I be able to retrieve user's password?

Thanks a lot.

Regards
Michal

Sandeep Nair, módosítva 12 év-val korábban

RE: USER_PASSWORD in session and Rememeber Me option

Liferay Legend Bejegyzések: 1744 Csatlakozás dátuma: 2008.11.06. Legújabb bejegyzések

Hi Michal,

I dont think Remember me has anything to do with whether password is plain or not.

When you use Remember me, Liferay stores userid and password(This is plain password encrypted using companyid) in a cookie. This is irrespective of whether you store password in session or not. As long as remember me is enabled, cookies stores encrypted password. The max age of cookie is defined using the property company.security.auto.login.max.age which you can override using portal-ext.properties. The default value is 31536000 seconds(365 days)

Regards,
Sandeep

Michal Apple, módosítva 12 év-val korábban

RE: USER_PASSWORD in session and Rememeber Me option

New Member Bejegyzések: 11 Csatlakozás dátuma: 2012.03.01. Legújabb bejegyzések

Hi Sandeep and Jitendra

thank you for your answers. It looks clear to me now. Just to make sure I would like to ask about the following case:

- user logs into the portal using his credentials and checks Rememeber me,
- logged user works with the portal (I have his password stored in the USER_PASSWORD session and I use it to authenticate him against third party services),
- user closes the browser (without logging in)
- user opens the portal after eg. 20 days. Remember me cookies are still stored in his computer and it ensures he is still logged in,

After this will I have his password present in the USER_PASSWORD session?

Thanks again

Regards
Michal

Sandeep Nair, módosítva 12 év-val korábban

RE: USER_PASSWORD in session and Rememeber Me option (Válasz)

Liferay Legend Bejegyzések: 1744 Csatlakozás dátuma: 2008.11.06. Legújabb bejegyzések

Yeap. You will.

There is a AutoLoginFilter that gets called when you are doing auto login. It retrieves the password and stores in session. You can see the following snippet in AutoLoginFilter.

if (PropsValues.SESSION_STORE_PASSWORD) {
				session.setAttribute(WebKeys.USER_PASSWORD, jPassword);
			}

Regards,
Sandeep

Michal Apple, módosítva 12 év-val korábban

RE: USER_PASSWORD in session and Rememeber Me option

New Member Bejegyzések: 11 Csatlakozás dátuma: 2012.03.01. Legújabb bejegyzések

Thanks again Sandeep. It is absolutely clear to me.

Have a nice day emoticon

Regards
Michal

Jitendra Rajput, módosítva 12 év-val korábban

RE: USER_PASSWORD in session and Rememeber Me option

Liferay Master Bejegyzések: 875 Csatlakozás dátuma: 2011.01.07. Legújabb bejegyzések

On successful login liferay creates cookie for username , password , remember me etc .
If you login without checking remember me check box age of the cookie will be -1 nd 0 .


                                 companyIdCookie.setMaxAge(-1);
				idCookie.setMaxAge(-1);
				passwordCookie.setMaxAge(-1);
				rememberMeCookie.setMaxAge(0);

-1 age indicates that cookie will be destroyed when you close your browser and 0 means it will immediately delete your cookie.

And if you mark remember me check box then age of the cookie will be set based on following property from portal-ext

company.security.auto.login.max.age

int loginMaxAge = PropsValues.COMPANY_SECURITY_AUTO_LOGIN_MAX_AGE;

                               companyIdCookie.setMaxAge(loginMaxAge);
				idCookie.setMaxAge(loginMaxAge);
				passwordCookie.setMaxAge(loginMaxAge);
				rememberMeCookie.setMaxAge(loginMaxAge);