add support for a private key with cflogin

Description

when loginstorage is set to "cookie" the cookie generated by cflogin is simply base64 encoded, when you decode the cookie you see the user and if you know an other user name you can change that cookie and try to access the site with an other user.
Lucee should have the (optinal) option to encrypt that cookie with a private key, so it cannot be read unless you have that key.

Environment

None

Activity

Michael Offner 
11 September 2020 at 12:56

Michael Offner 
18 August 2020 at 09:27

Michael Offner 
18 August 2020 at 09:25

Michael Offner 
18 August 2020 at 08:58

Michael Offner 
18 August 2020 at 08:56

we added the possibility to define a private key in the environment variable “lucee.loginstorage.privatekey“. if that variable not exists all works identical as in previous versions, but if it exist, that key will be used to encrypt the data.

We use Blowfish encryption (10 times), that is maybe not the most secure encryption, but the private key must not have the same length as the data we encrypt.

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Created 18 August 2020 at 08:53
Updated 5 April 2022 at 11:32
Resolved 11 September 2020 at 12:57