add support for a private key with cflogin

Description

when loginstorage is set to "cookie" the cookie generated by cflogin is simply base64 encoded, when you decode the cookie you see the user and if you know an other user name you can change that cookie and try to access the site with an other user.
Lucee should have the (optinal) option to encrypt that cookie with a private key, so it cannot be read unless you have that key.

Environment

None

Activity

Show:
Michael Offner
August 18, 2020, 8:56 AM

we added the possibility to define a private key in the environment variable “lucee.loginstorage.privatekey“. if that variable not exists all works identical as in previous versions, but if it exist, that key will be used to encrypt the data.

We use Blowfish encryption (10 times), that is maybe not the most secure encryption, but the private key must not have the same length as the data we encrypt.

Michael Offner
August 18, 2020, 8:58 AM

Michael Offner
August 18, 2020, 9:25 AM

Michael Offner
August 18, 2020, 9:27 AM

Michael Offner
September 11, 2020, 12:56 PM

we also added salt

Fixed

Assignee

Unassigned

Reporter

Michael Offner

Priority

Critical

Labels

Fix versions

Configure