Shiro: how do I remember how I work?

Question

I have a few questions about Shiro that remember me:

Why does Shiro generate different “remember me” tokens for the same account every time I log in?
Can a hacker generate a “remember me” token for any account, if I use the default CipherKey?
How can I control the “remember me” duration? Liver by age? So, if the client cookie never expires, then remember me cookie will work forever?

+4

fedor.belov Oct 29 '14 at 19:42

2 answers

Rich · Answer 1 · 2016-02-25T17:02:53+0000

" " , , . . , .

IV
cookie " " "", .. , AES ( ). . Shiro IV - . JcaCipherService, .
!
-, Shiro , " " .
, "@RequiresAuthentication" - , , .
, , . , Shiro , " " . . https://github.com/pledbrook/grails-shiro/issues/28
!
cookie " " " ", 1 - . CookieRememberMeManager.
, Shiro cookie, , .
, , .

Shiro :

briarheart · Answer 2 · 2014-10-29T20:24:59+0000

.
BalusC. .
rememberMe cookie - . Shiro cookie rememberMeManager:
securityManager.rememberMeManager.cookie.maxAge = <max_age >