The current HttpUtilities.setRememberToken(String password, int maxAge, String
domain, String path) interface takes a user's cleartext password. The reference
implementation (DefaultHttpUtilities) creates an AES encrypted HTTP cookie that
contains the username and password of the user to be remembered. Storing the
password using reversible encryption is contrary to the stated corporate
security policies of many companies and therefore using this as a technique to
provide unattended login access should be discouraged if for no other reason
than corporate policy will (or should) prevent this method from seeing
widespread use.
Instead, a new replacement interface something like this:
HttpUtilities.setRememberToken(int maxAge, String domain, String path)
should be implemented to take advantage of CryptoToken which does not require a
user's password to be made secure.
Original issue reported on code.google.com by kevin.w.wall@gmail.com on 26 Nov 2013 at 6:27
Original issue reported on code.google.com by
kevin.w.wall@gmail.comon 26 Nov 2013 at 6:27