Affects Version/s: None
Fix Version/s: v2.6.0
Add a new option to authentication realm configuration (next to the already existing enableRememberMeFor):
- allowFor2ndFactor (default)
Change semantics (handling and documentation) of enableRememberMeFor so that it is used only when policy is != disallow, has a default value (e.g. 14days) and requires value > 0. In other words it stops to enable/disable the remember me feature, merely controls duration.
The existing remember me feature implementation should be dropped in favour of the implementation described below. This means that remember me feature must not interfere with login session time.
- disallow: then do nothing
- allowForWholeAuthn: then appropriate checkbox should be displayed on the initial login screen.
- allowForWholeAuthn: then same checkbox should be displayed only on the 2nd factor authn screen.
If rememberMe checkbox was checked (on any screen) then Unity should, after successful authentication, set an additional rememberMe cookie lasting for rememberMeFor time and additionally store a corresponding rememberMe object in tokens store.
Cookie must contain two values: a crypto strong random token (called rememberMeToken) and random seriesToken. In DB we store a corresponding entry in DB, under the key (i.e. token value in Unity token store API sense) of the seriesToken from the cookie:
- user's entity
- login machine details: IP, OS, browser,
- login time
- credential(s) that were used when authenticating (not needed now, we may need this for step up authN in future).
- a SHA hash of the "rememberMeToken"
- a value of machineRememberPolicy that is set when creating the token
DB object should also be limited to the remember me time.
Verification of remember me cookie:
- obtain corresponding entry from DB by the seriesToken from cookie. If missing ignore the cookie, remember me feature is not active.
- hash the rememberMeTokenFrom cookie and compare against the hash from DB. If not equal then log error, drop all remember me tokens for the user from DB, remember me feature is not active.
- check if machineRememberPolicy is still the same as stored with the token. If not then the stored rememberMe token is ignored.
- at this stage remember me feature is active
When remember me feature is active we should log in a user automatically (if allowForWholeAuthn is set) or store this information and skip 2nd factor authN (if any). Login session must contain an information that rememberMe feature caused the authentication.