Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-441

Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key

    XMLWordPrintableJSON

Details

    • Documentation
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.2.1
    • None
    • Documentation, Sample Apps
    • None

    Description

      Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using Shiro")) nor the the reference documentation (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated (chapter "Authentication")) give any hints that without a custom cipher key the - publicly available - default key will be used (defined in http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).

      Especially the statement in the tutorial is questionable: "this is all you have to do to support 'remember me' (no config - built in!)". While true and fairly obvious to advanced developers the potential security implications should be better explained.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. SHIRO-550 Randomize default remember me cipher

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              marian.seitner Marian Seitner
              Votes:
              3 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: