The current HttpUtilities.setRememberToken(String password, int maxAge, String domain, String path) interface takes a user's cleartext password. The reference implementation (DefaultHttpUtilities) creates an AES encrypted HTTP cookie that contains the username and password of the user to be remembered. Storing the password using reversible encryption is contrary to the stated corporate security policies of many companies and therefore using this as a technique to provide unattended login access should be discouraged if for no other reason than corporate policy will (or should) prevent this method from seeing widespread use.
Instead, a new replacement interface something like this: HttpUtilities.setRememberToken(int maxAge, String domain, String path) should be implemented to take advantage of CryptoToken which does not require a user's password to be made secure.
From kevin.w.wall@gmail.com on November 26, 2013 13:27:30
The current HttpUtilities.setRememberToken(String password, int maxAge, String domain, String path) interface takes a user's cleartext password. The reference implementation (DefaultHttpUtilities) creates an AES encrypted HTTP cookie that contains the username and password of the user to be remembered. Storing the password using reversible encryption is contrary to the stated corporate security policies of many companies and therefore using this as a technique to provide unattended login access should be discouraged if for no other reason than corporate policy will (or should) prevent this method from seeing widespread use.
Instead, a new replacement interface something like this:
HttpUtilities.setRememberToken(int maxAge, String domain, String path)
should be implemented to take advantage of CryptoToken which does not require a user's password to be made secure.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=311