Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-441

Explain how "Remember Me" works under the hood and that you might want to use a custom cipher key

    XMLWordPrintableJSON

    Details

    • Type: Documentation
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.2.1
    • Fix Version/s: None
    • Component/s: Documentation, Sample Apps
    • Labels:
      None

      Description

      Neither the tutorial (http://shiro.apache.org/tutorial.html (section "Using Shiro")) nor the the reference documentation (http://shiro.apache.org/authentication.html#Authentication-Rememberedvs.Authenticated (chapter "Authentication")) give any hints that without a custom cipher key the - publicly available - default key will be used (defined in http://grepcode.com/file/repo1.maven.org/maven2/com.ning/metrics.collector/1.2.1/org/apache/shiro/mgt/AbstractRememberMeManager.java/).

      Especially the statement in the tutorial is questionable: "this is all you have to do to support 'remember me' (no config - built in!)". While true and fairly obvious to advanced developers the potential security implications should be better explained.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                marian.seitner Marian Seitner
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: