marylinh / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Deprecate current HttpUtilities.setRememberToken() and replace with one not requiring user password #311

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The current HttpUtilities.setRememberToken(String password, int maxAge, String 
domain, String path) interface takes a user's cleartext password. The reference 
implementation (DefaultHttpUtilities) creates an AES encrypted HTTP cookie that 
contains the username and password of the user to be remembered. Storing the 
password using reversible encryption is contrary to the stated corporate 
security policies of many companies and therefore using this as a technique to 
provide unattended login access should be discouraged if for no other reason 
than corporate policy will (or should) prevent this method from seeing 
widespread use.

Instead, a new replacement interface something like this:
HttpUtilities.setRememberToken(int maxAge, String domain, String path)
should be implemented to take advantage of CryptoToken which does not require a 
user's password to be made secure.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 26 Nov 2013 at 6:27