More Secure Cookie Auto Login for TF-Login

14 Jan 2020

I've implemented a more secure cookie-based auto-login in TF-Login 'password' branch to replace the existing simple and insecure cookie scheme.

To load, start with fresh Pharo 7 image:

"First load Seaside."
Metacello new 
    baseline: 'Seaside3'; 
    repository: 'github://SeasideSt/Seaside:v3.3.3/repository'; 
    load. 
    
"Then load TF-Login."
Metacello new 
    baseline: 'TFLogin'; 
    repository: 'github://PierceNg/TF-Login:password/src'; 
    load.

Start Test Runner to run TF-Login's tests. All 78 tests should pass. The class TLTest runs "scripted interactive" tests on the TLTester Seaside application. TLTest's testLoginLogout and testLoginThenAutomaticLogin methods exercise the cookie-based auto-login functionality.

Auto-login is also implemented in the TLTestApp demo Seaside application. Here's a screenshot of the cookie stored in Chromium upon logging into TLTestApp.

TF-Login cookie in Chromium

The original cookie-based auto-login stores username and the SHA1-hashed password in client cookies. This replacement implementation is based on Paragon Initiative's blog post on "remember me" cookies.

Tags: Seaside, security, TF-Login

PBKDF2-HMAC-SHA1 password hashing for TF-Login

17 Nov 2019

I've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to replace the existing simple and insecure SHA1-based password hashing scheme.

To load, start with fresh Pharo 7 image:

"First load Seaside."
Metacello new 
    baseline: 'Seaside3'; 
    repository: 'github://SeasideSt/Seaside:v3.3.3/repository'; 
    load. 
    
"Then load TF-Login."
Metacello new 
    baseline: 'TFLogin'; 
    repository: 'github://PierceNg/TF-Login:password/src'; 
    load.

As originally implemented, TF-Login also supports cookie-based auto-login, which works by storing username and the SHA1-hashed password in client cookies. This scheme is certainly not secure by current standards and can't be used together with PBKDF2-HMAC-SHA1 password hashing.

Possible future work on TF-Login password management:

  • OAuth2, to replace the existing insecure cookie-based auto-login

  • 2FA

Tags: cryptography, Seaside, security, TF-Login

[ANN] TF-Login for Seaside 3.3 for Pharo 7

15 Nov 2019

I've ported TF-Login to Seaside 3.3 and Pharo 7.

To load, start with fresh Pharo 7 image:

Metacello new 
    baseline: 'Seaside3'; 
    repository: 'github://SeasideSt/Seaside:v3.3.3/repository'; 
    load. 
    
Metacello new 
    baseline: 'TFLogin'; 
    repository: 'github://PierceNg/TF-Login:pharo7/src'; 
    load.

The baseline doesn't load Seaside, in case you want to load it into an image that already has Seaside.

Start Test Runner and run the TF-Login tests. All 62 tests should pass.

Tags: Seaside, security, TF-Login

TF-Login for Seaside

14 Nov 2019

TF-Login is a package that provides basic user authentication, registration, and account management for Seaside. It was originally developed on Pharo 1 by Tony Fleig, and ported to Pharo 2 by sergio101.

I am attempting to make TF-Login work with Seaside 3.3.x on Pharo 7. For now, I've reorganized the packages and fixed TLMultiFileDatabase to pass its tests.

Collaborators are welcome.

Tags: Seaside, security, TF-Login
Powered by Free Pascal and Lazarus