probably with such a method 99% of most 'kiddy' hackers that try to run hacks read in books are filtered out.

I had a customer ask me about a "remember me" tickbox for their site once. Luckily I managed to convince them it was a security issue and that, should a user want it to, most browsers do it for them now. Thankfully they agreed and didn't push me on it, as I hate having to explain that "You can't do that with Domino" over and over.

See bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php and bioinformatics.org/phplabware/internal_utilities/htmLawed/rsnake/RSnakeXSSTest.htm

He made the point that all browsers will remember your user name and password for you. So all you have to do is click the login button or link.

Does that work with your fly-out log in form?

Rob:-]

Security aside (I'd need to delve deeper to fully understand it myself) there's the practical side of implementing it, which I can't see being straight-forward.

A typical remember-me feature just knows who you are when you first request a page on the site. Even if we invent a remember-me cookie for Domino we won't be able to use it in that way. Domino's authentication methods are fairly closed off to us.

What you'd have to do is have the page open and then have some JavaScript check for the cookie. If found the same script needs to POST the name/pass values to the server so it can initiate a session and return a valid DomAuthSessId cookie. At this point you're probably going to want to reload the page to make it user-specific. Even if it's really quick it might seem odd and confusing to the user. Maybe it could be done transparently before any content appears. Either way I don't think it's what a user would expect to happen.

As with most things Domino, there's a way to do just about anything. In this scenario though I think I'd suggest a user might use the built-in login-remembering features of the current browsers.

Jake

I've given this some thought and done some Internet research.

ASSUMPTIONS

Please check my assumptions here.

1. In order to log a person into Domino they must submit a user name and password. Therefor, in order for the "remember me" function to work, the user name and password must be entered into the login form somehow. (Other systems may have other options but, as Domino users, we do not.)

2. An MD5 (or any other) hash is a one-way operation. That is, once the password is hashed it can not be recovered.

3. The attack we are protecting is cookie theft. That is the attacker has obtained our user's "remember me" cookie and is trying to use it to log into the site.

THEREFOR

Given #1 above, whatever we do we must somehow use the "remember me" cookie to retrieve or extract the user name and password to be used for the automatic log in process. All the methods I read about seem to be about obfuscating at least the password and ameliorating the damage a stolen cookie can do.

For example:

Link

DISCUSSION

If I store a unique identifier in the "remember me" cookie (which could be generated by MD5 or many other methods) which lets me look up and pass back the user name and password then that could be used in the log in form. But any attacker that steals that cookie could do exactly the same thing so nothing of real value has been accomplished. All we've done is obfuscated the user name and password.

So given assumption #1 and #3, I see no way to prevent the attacker from obtaining the user name and password. If we could log a user in on the server side then we could protect the user name and password but not prevent the attacker from logging in.

Even public key cryptography fails in this case because there is no safe place to save the user's private key.

CONCLUSION

"Remember me" cookies are not safe and there is no way to make them safe.

Please point out where my reasoning is wrong because I'd like to use this feature. (I did read several places where people recommended saving the user name and password in a cookie.)

Peace,

Rob:-]

<form onsubmit="DEXT.Session.Authenticate(this.form); return false;"...

@Nick Wall, You can run a "keep alive" function every five or so minutes that retrieves a page to keep the session alive. The keep alive page should return the logged in user. If the user is "Anonymous", then re-login the user. The page should not require authentication so that it can return Anonymous if the user is no longer logged in.

I must admit, though -- checking for the presence of a cookie is a bit more elegant than the way I check! :D

Now I can put the user name and password into another cookie and log a visitor into the site when they return. This is a nice feature on many web sites that have a check box that say's "Remember Me". I've been wanting to have the option to add that feature for a long time.

Feel free to use this or any of my code in Ext.nd. It's all "open source" so you can do what you like with it.

I discussed that in the article too. Be sure to read more thoroughly next time ;o)

I guess the reason you're reloading the page after the login is to update the user-interface (hide-whens/computed texts)?

From my experience, it's simplest to create an iframe using a container-div created by dom, and inserting the iframe using innerHTML. Cross browser event-binding on dom-inserted iframes has given me so much head-ache, I've more or less given up on it.

Example:

var ifrContainer = document.createElement( 'div' );

ifrContainer.innerHTML = '<iframe src="/names.nsf?login" onload="someFunction()"></iframe>';

document.body.appendChild( ifrContainer );

function someFunction(){ alert( frames[frames.length-1].document.cookie )}

Your method of checking the cookie is much more elegant than mine.

My AJAX login POSTs a login request, onSuccess I then POST a ?CreateDocument, which does a simple XML print back, and if the value is ON, we're logged in, if not, we're not! But I was very unhappy with this extra ?CreateDocument.

My forms rely heavily on AJAX, so if the session gets dropped, the form does not work correctly, but the user may not notice that specific fields, etc. are not loading correctly, I currently do something that has a completely unnecessary overhead, I check every x secs whether you are connected...his has issues, which I won't go into here. If the session has been dropped, my modal AJAX login form pops up. But there is of course, a much more elegant solution:

Link

Incorporating your cookie technique and the ajax cache, I think will take care of these issues very nicely.

Good work Jake.

My daughter will turn one in a few weeks and we've got to have our family pictures made too.

Good swap on the work! But wait for the bill if you hire him for pictures :)

Aaron

Karen. I'll tell Quinn (and Karen) that. They'll love it. I know Karen loves the whole "look like sisters" thing.

Dan. Thanks. You're right. I am like that. But also I like winding mates up and you should have seen his face when he realised how unfair the exchange was. Priceless.

I do have a no BS policy when it comes to dealing with my (Rockall's) customers though. Always tell it like it is. I (like to) think that that's why they come back.

@Keith: That answer was typical Jake though. Straightforward, pulls no punches. That's what I like about him :-)

Dan

Great looking family and great photos. Reminds me also that we need an updated family photo.

But regarding this: "Yeah, I just unplugged it and plugged in back in again" I replied.

I think I would have told him something other than that :-D Like you spent the last hour battling with "Name the OS" to get through it's cryptic file system and dialog boxes to finally work a miracle to get it to connect and that anyone else wouldn't have been as successful :-P