[daisy] "Remember Me" functionality implementation proposal

Bruno Dumon bruno at outerthought.org
Wed Sep 13 09:21:43 CDT 2006 

Hi,

I started thinking a bit about how we could implement the "remember me"
functionality in Daisy. Basically this works by storing a token (some
string that can be used as a substitute for the password) in a cookie,
further on I will therefore call this token-based authentication.

The repository server currently expects a username and password as
credentials for authentication. If we want to be able to do a
token-based authentication, we need to add support for it in the
repository server (unless we would store token-username-password in the
Wiki, which is not desirable).

Rather than extending the repository "hard-coded" with token-based
authentication, I would approach this by allowing to register new
credential types in the repository server. So next to the built-in
username/password-based credentials, it would be possible to have other
credential types, and for now specifically token-based credentials. A
repository client can then use whatever sort of credentials it prefers,
as long as it is supported by the repository. On the user record, it
should be possible to indicate which credential types are allowed (for
the case where you don't want to allow e.g. token-based access for
certain users).

The token-based credentials would work as follows:
- for each user a list of valid tokens will be managed
- each time 'remember me' is used when logging in (via log-in screen) a
new token will be requested and stored in a cookie
- logging out explicitly will invalidate (drop) the token used on that
PC
- there will be the possibility for a user to invalidate all tokens
- a token will have an expiry time. This could be set to a couple of
weeks, each time the user uses the token the expire time can be updated.
This allows to remove/cleanup tokens which have not been used in a long
time.
- to restore the active roles of the user, a separate cookie can be
maintained which keeps the list of active roles (there are no special
security issues with this).

These are the basic ideas. Comments welcome.

-- 
Bruno Dumon                             http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno at outerthought.org                          bruno at apache.org

More information about the daisy mailing list