Sessions for the login

tkrammtkramm
in Feature Requests
Would be nice if there where sessions (checkbox "Remember my credentials"), since every reload of the page or switch of language requires a relogin

(Repetier-Server 0.50.1 / OS X 10.10)

Comments

  • RepetierRepetier
    Every reload creates a new session. To make it remember password I would have to store it locally without protection. I did not think that was a good idea, but maybe it is. For me chrome remembers it so it was not a big problem. 

    Maybe I should add it anyway with some security notice.
  • tkrammtkramm
    I like the way AVM does the authentication with their Fritzbox API. They do a challenge-response authentication so the password is never transmitted plain text, which would make sense since repetier-server only uses http, not https. 
    On the login screen there is a field with a Challenge eg. 0cbc66 (changing on every call). Now the user types in his username and password and the password + challange get hashed client side:
    md5("Password"+"0cbc66") = 5640705344598c4c1f5e3b037acba8f9 
    Now username and the hashed value are transmitted and the server does the same hashing and compares. This is also possible with salted passwords, which is always a good idea, then you would have to be in two stages (script submits username only, gets the salt if user exists and then salts the password first before doing the hash with the challange. This way the password would not be stored or transmitted plain text.
    after successfull authentication the server returns a session id which is applied to the url scheme or in the post part of a request. If the session id is valid the requested page is returned if not the loginscreen. 
    Everytime a request with the valid session id is made the timeout is reset. This timeout could be 5 min a day or even 30 days. This should be configurable by the user in respect to the required security in repetier server.

    Just as an idea...
  • tkrammtkramm
    I forgot, the session ID could also be stored in a client side cookie
  • RepetierRepetier
    That is like it was already done, except that server created a new session for each socket and that session key was not stored. I have now extended it so it will invalidate sessions after 30 minutes or 7 days for remember me function or until next restart which looses all session data anyway. Will be part of 0.50.2.
  • tkrammtkramm
    Great thanks!
Sign In or Register to comment.