I've implemented a more secure cookie-based auto-login in TF-Login 'password' branch to replace the existing simple and insecure cookie scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside."
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
"Then load TF-Login."
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:password/src';
load.
Start Test Runner to run TF-Login's tests. All 78 tests should pass. The class
TLTest
runs "scripted interactive" tests on the TLTester
Seaside
application. TLTest
's testLoginLogout
and testLoginThenAutomaticLogin
methods exercise the cookie-based auto-login functionality.
Auto-login is also implemented in the TLTestApp
demo Seaside application. Here's a
screenshot of the cookie stored in Chromium upon logging into TLTestApp
.
The original cookie-based auto-login stores username and the SHA1-hashed password in client cookies. This replacement implementation is based on Paragon Initiative's blog post on "remember me" cookies.
Tags: Seaside, security, TF-LoginI've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to replace the existing simple and insecure SHA1-based password hashing scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside."
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
"Then load TF-Login."
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:password/src';
load.
As originally implemented, TF-Login also supports cookie-based auto-login, which works by storing username and the SHA1-hashed password in client cookies. This scheme is certainly not secure by current standards and can't be used together with PBKDF2-HMAC-SHA1 password hashing.
Possible future work on TF-Login password management:
OAuth2, to replace the existing insecure cookie-based auto-login
2FA
I've ported TF-Login to Seaside 3.3 and Pharo 7.
To load, start with fresh Pharo 7 image:
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:pharo7/src';
load.
The baseline doesn't load Seaside, in case you want to load it into an image that already has Seaside.
Start Test Runner and run the TF-Login tests. All 62 tests should pass.
Tags: Seaside, security, TF-LoginTF-Login is a package that provides basic user authentication, registration, and account management for Seaside. It was originally developed on Pharo 1 by Tony Fleig, and ported to Pharo 2 by sergio101.
I am attempting to make TF-Login work with Seaside 3.3.x on Pharo 7. For now, I've reorganized the packages and fixed TLMultiFileDatabase to pass its tests.
Collaborators are welcome.
Tags: Seaside, security, TF-Login