On 04/03/2010 04:47 PM, stefan bachert wrote: > Hi, > > is there a way to get rid of the rememberme cookie at all. > Just set rememberme_j to false does not work.
You can do it, but it's not trivial. You need to create a new class implementing com.xpn.xwiki.user.api.XWikiAuthService (you could extend com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl or AbstractXWikiAuthService for a start) and use a different PersistentLoginManager instead of the current (hardcoded) MyPersistentLoginManager which uses cookies. Then, in xwiki.cfg set the value for xwiki.authentication.authclass to the FQN of this implementation. You could consider one of the other authenticator methods, LDAM, NTLM, SunSSO, headers... > I still feel bad with this rememberme feature. It is a secury whole. Well, it isn't such a huge whole, most of the web uses cookies for authentication. Combined with SSL always on and with IP-bound cookies, it's actually quite good. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
