This authentication class stores user session on the browser after successful login. When the user is prompted for authentication subsequently, this class will reuse the saved authentication instead of prompting the user for credentials. The user will be prompted for credentials again only when the cookie lifetime expires. This authentication class is used only for applications that do not require very high security.
This class helps in configuring websites that have low security such as enterprise forums. Frequently typing the password to re-authenticate may be vulnerable and cause security issues. To avoid this with PersistentAuthClass configuration you will not be required to re-authenticate using the password frequently. For sites that you use a low-grade identity for example, enterprise forums or some web sites that restrain your preferences, having to re-authenticate every few-hours is annoying. Some web sites offer the remember my password feature that will not ask the user to re-authenticate if you select this option. This class provides that remember my password functionality so that the user does not have to frequently re-authenticate.
You can set the following class properties in the configuration file.
CryptoKey: This key is used to encrypt the user's information in the cookie. If this value is long and random, the user information will be secure. The value must be at least ten characters. The certificate private key will be used if you do not set this value. If you change or update the certificate, the user is re-authenticated.
CookieSuffix: The Cookie Name is derived using this suffix. PA_ is added as a prefix to the cookie name. By default, cookie name is PA_PERSISTENT_AUTH. For example, if you configure the CookieSuffix as PER_AUTH, the Identity server sends cookie with PA_PER_AUTH name at browser.
MaxAgeSeconds: This property will decide the cookie lifetime. Default value is 86400 seconds (1 day). Maximum value is 4294967295 seconds.
ParamName: The name of the HTTP parameter to enable this feature. The default value of the parameter is EnableCookieAuth. If you want to modify the default value of parameter name for example to TestCookieName, follow the procedure given below.
Login to the Identity Server.
Go to /opt/novell/nids/lib/webapp/jsp
Open login.jsp file using an editor.
Search for EnableCookieAuth parameter name and provide the new name as TestCookieName in the input tag.
Ensure that you select the Remember Me option.
Restart the Identity Server.
This value is used by the Identity Server to identify if user has enabled Remember Me option on the login page.
The following procedure allows you to configure the PersistentAuthClass.
Login to the Administration Console.
Click Devices > Identity Servers > Edit > Local > Classes.
Click New, then specify a Display name for example, PersistentAuth.
Select PersistentAuthClass from the Java Class drop-down list.
Click New to create a new authentication class.
In the Add property window, specify the following values. Specifying these values are optional.
Property Name: Specify the name of the property. For more information on the names you can specify here, see Section 4.3.2, PersistentAuthClass Properties
Property Value: Specify the property value you would like to define here.
Click OK and Finish.
Continue with creating a contract and method for this class.
For configuration information, see Section 3.3, Configuring Authentication Methods and Section 3.4, Configuring Authentication Contracts.
When a user performs an explicit logout, the Identity Server clears the persistent authentication cookie at browser if the logout request goes through the browser. If SOAP communication is used between the service provider and the Identity server, then the Identity server does not clear the cookie automatically. The cookie can only be cleared by sending a request to a page on the server that issued it. If the page is available on the Identity server, the clearCookieAuth.jsp file clears the page. You must customize the service provider’s logout page to run the Identity server’s clearCookieAuth.jsp page.
The clearCookieAuth.jsp file clears it. The URL for this page will be . Any request to that URL will clear the authentication cookie.
With this class in use, the user will be unable to logout of the system because re-accessing any protected page will simply re-authenticate the user using the user information stored in the browser stored. There are at least two ways to invalidate an outstanding browser stored authentication cookie. The first is to change the user’s password and second is to clear the stored cookie from the browser. Only way to invalidate the cookie is to change the encryption key used. The cookie that is created can only be cleared by a request from the server which created it.
The following configurations are specific to the Novell service provider. If the users uses third party service provider, then the user must customize the logout pages.
In a federation scenario add the following to the logoutSuccess.jsp file at /opt/novell/nam/idp/webapps/nidp/jsp/ of the service provider. You can have logout page redirect to this page, or have an <iframe> that references the page. You may also customize the /opt/novell/nam/mag/webapps/nesp/jsplogoutSuccess.jsp file to provide login links or instructions to your user.
<tr> <td> <iframe src="https://idp.labs.com:8443/nidp/jsp/clearCookieAuth.jsp" width="0" height="0"> </td> </tr>
where idp.labs.com is the URL of the Identity Server.
Following are the limitations with the Persistent Authentication Class:
User is authenticated even if the password is changed.
If the user is already logged in with Remember Me option enabled, you will be unable to stop the session until the cookie expires.