This authentication class stores user session on the browser after successful login. When the user is prompted for authentication subsequently, this class will reuse the saved authentication instead of prompting the user for credentials. The user will be prompted for credentials again only when the cookie lifetime expires. This authentication class is used only for applications that do not require very high security. You can configure persistent authentication as a standalone class.
This class helps in configuring websites that have low security such as enterprise forums. Frequently typing the password to re-authenticate may be vulnerable and cause security issues. With PersistentAuthClass configuration, you do not require to re-authenticate using the password frequently. For sites that you use a low-grade identity, for example, enterprise forums or some websites that restrain your preferences, having to re-authenticate every few-hours is annoying. Some websites offer the remember my password feature that will not ask the user to re-authenticate if you select this option. This class provides the remember my password functionality, so that the user does not need to frequently re-authenticate.
You can set the following properties in the class properties tab:
CryptoKey: This key is used to encrypt the user's information in the cookie. If this value is long and random, the user information will be secure. The value must be at least ten characters. The certificate private key will be used if you do not set this value. The certificate private key will be used if you do not set this value. If you change or update the certificate, the user is re-authenticated.
CookieSuffix: The cookie name is derived using this suffix. PA_ is added as a prefix to the cookie name. By default, the cookie name is PA_PERSISTENT_AUTH. For example, if you configure CookieSuffix as PER_AUTH, Identity Server sends the cookie with the PA_PER_AUTH name at the browser.
MaxAgeSeconds: This property decides the cookie lifetime. The default value is 86400 seconds (1 day). The maximum value is 4294967295 seconds.
ParamName: The name of the HTTP parameter to enable this feature. The default value of the parameter is EnableCookieAuth. If you want to modify the default value of parameter name, for example to TestCookieName, perform the following steps:
Log in to Identity Server.
Go to /opt/novell/nids/lib/webapp/jsp.
Open the login.jsp file using an editor.
Search for the EnableCookieAuth parameter name and specify the new name as TestCookieName.
Select Remember Me.
Restart Identity Server.
This value is used by Identity Server to identify if the user has selected Remember Me on the login page.
To enable the Remember Me option on a custom login page, use the following custom code:
<td align=left> <input type="checkbox" name="EnableCookieAuth" value="true" /> <label> Remember Me </label> </td> </tr> <tr></tr> <tr> <td> <span class="instructions"> (Do not check this box if you are using public computer.)</span> </td></tr>
NOTE:
Ensure that you add MainJSP and JSP in the method property.
This class does not replace the form-based contract. See Customizing the Identity Server Login Page.
Log in to Administration Console.
Click Devices > Identity Servers > Edit > Local > Classes.
Click New, then specify a Display name. For example, PersistentAuth.
Select PersistentAuthClass from the Java Class list.
Click New.
(Optional) In the Add property window, specify the following values:
Property Name: Specify the name of the property. See PersistentAuthClass Properties.
Property Value: Specify the property value you want to define.
Click OK > Finish.
Continue with creating a contract and method for this class.
For configuration information, see Section 4.1.3, Configuring Authentication Methods and Section 4.1.4, Configuring Authentication Contracts.
When a user performs an explicit logout, Identity Server clears the persistent authentication cookie at the browser if the logout request goes through the browser.
If SOAP communication is used between the service provider and Identity Server, then Identity Server does not clear the cookie automatically. The cookie can only be cleared by sending a request to a page on the server that issued it. If the page is available on Identity Server, the clearCookieAuth.jsp file clears the page. You must customize the service provider’s logout page to run Identity Server’s clearCookieAuth.jsp page.
The clearCookieAuth.jsp file clears it. The URL for this page is https://idpserver.example.com/nidp/clearCookieAuth.jsp. Any request to that URL clears the authentication cookie.
With this class in use, the user will be unable to logout of the system because re-accessing any protected page will simply re-authenticate the user using the user information stored in the browser store. There are at least two ways to invalidate an outstanding browser stored authentication cookie. The first is to change the user’s password and second is to clear the stored cookie from the browser. Only way to invalidate the cookie is to change the encryption key used. The cookie that is created can only be cleared by a request from the server which created it.
The following configurations are specific to the Novell service provider. If the users uses third party service provider, then the user must customize the logout pages.
In a federation scenario, add the following to the logoutSuccess.jsp file at /opt/novell/nam/idp/webapps/nidp/jsp/ of the service provider. You can redirect the logout page to this page, or have an <iframe> that references the page. You may also customize the /opt/novell/nam/mag/webapps/nesp/jsplogoutSuccess.jsp file to provide login links or instructions to your user.
<tr> <td> <iframe src="https://idp.labs.com:8443/nidp/jsp/clearCookieAuth.jsp" width="0" height="0"> </td> </tr>
where idp.labs.com is the URL of Identity Server.
User is authenticated even if the password is changed.
If the user is already logged in with Remember Me option enabled, you cannot stop the session until the cookie expires.