Forum OpenACS Development: Re: Remember Me Feature Broken!

Posted by Carl Robert Blesius on

Those changes were added by you.

Can you comment on this?

We want to fix this feature without breaking what looks to be a security fix.


Posted by Gustaf Neumann on
The referenced change had two security related effects: One was against session hijacking, which was possible before (revealed by an external security audit, we did last year). The second one is about cookie deletion upon browser close (we had this issue that in public classrooms, people close their browser, and the next person opening the browser is still logged in as the previous user). It looks like "remember me" (whatever this means in detail) and logout-on-close cannot be realized at the same time. Victor is currently looking into the details, a fix will be out soon.
Posted by Victor Guerra on
In order to avoid discarding the cookie ad_session_id when browser closes, one would need to know weather the user checked, in the login form, the option "remember me". But at the moment of setting the cookie this info is not available.

Therefore we thought about adding to the values list of ad_user_login ( or ad_user_login_secure in case of being under secure connections ) the value of the "remember me" check box with the purpose of querying it when setting the ad_session_id. When user don't want to be remembered then the ad_sesssion_id will be discarded otherwise expiration date is set to whatever value is configured on the SessionTimeout parameter.

In our case we don't allow persistent logins which means that this change will still continue to discard the ad_session_id cookie, so we are on the safe side.
Would this change make sense to you all? I already did this modifications in my local instance and works well.