I've implemented a more secure cookie-based auto-login in TF-Login 'password' branch to replace the existing simple and insecure cookie scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside." Metacello new baseline: 'Seaside3'; repository: 'github://SeasideSt/Seaside:v3.3.3/repository'; load. "Then load TF-Login." Metacello new baseline: 'TFLogin'; repository: 'github://PierceNg/TF-Login:password/src'; load.
Start Test Runner to run TF-Login's tests. All 78 tests should pass. The class
TLTest runs "scripted interactive" tests on the
methods exercise the cookie-based auto-login functionality.
Auto-login is also implemented in the
TLTestApp demo Seaside application. Here's a
screenshot of the cookie stored in Chromium upon logging into
The original cookie-based auto-login stores username and the SHA1-hashed password in client cookies. This replacement implementation is based on Paragon Initiative's blog post on "remember me" cookies.Tags: Seaside, security, TF-Login