I've implemented a more secure cookie-based auto-login in TF-Login 'password' branch to replace the existing simple and insecure cookie scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside."
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
"Then load TF-Login."
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:password/src';
load.
Start Test Runner to run TF-Login's tests. All 78 tests should pass. The class
TLTest
runs "scripted interactive" tests on the TLTester
Seaside
application. TLTest
's testLoginLogout
and testLoginThenAutomaticLogin
methods exercise the cookie-based auto-login functionality.
Auto-login is also implemented in the TLTestApp
demo Seaside application. Here's a
screenshot of the cookie stored in Chromium upon logging into TLTestApp
.
The original cookie-based auto-login stores username and the SHA1-hashed password in client cookies. This replacement implementation is based on Paragon Initiative's blog post on "remember me" cookies.
Tags: Seaside, security, TF-Login