Issue ESAPI#316 -- Deprecated existing HTTPUtilities.setRememberToken() for one that doesn't require user password.

Author: xeno6696

pom.xml

@@ -187,14 +187,17 @@
             <artifactId>antisamy</artifactId>
             <version>1.5.3</version>
         </dependency>
-
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
             <artifactId>batik-css</artifactId>
             <version>1.8</version>
         </dependency>
-
-
+		<dependency>
+		    <groupId>org.mockito</groupId>
+		    <artifactId>mockito-all</artifactId>
+		    <version>1.10.19</version>
+		    <scope>test</scope>
+		</dependency>
     </dependencies>
 
     <build>

src/main/java/org/owasp/esapi/HTTPUtilities.java

@@ -543,12 +543,21 @@ public interface HTTPUtilities
 
 	/**
 	 * Calls setNoCacheHeaders with the *current* response.
+	 * 
+	 * ~DEPRECATED~  Per Kevin Wall, storing passwords with reversible encryption is contrary to *many*
+	 * company's stated security policies.  
      *
 	 * @see {@link HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
 	 */
+    @Deprecated
     String setRememberToken(String password, int maxAge, String domain, String path);
 
+    /**
+     * 
+     */
+    String setRememberToken(HttpServletRequest request, HttpServletResponse response, int maxAge, String domain, String path);
 
+    
     /**
 	 * Set a cookie containing the current User's remember me token for automatic authentication. The use of remember me tokens
 	 * is generally not recommended, but this method will help do it as safely as possible. The user interface should strongly warn
@@ -564,6 +573,9 @@ public interface HTTPUtilities
      * <p/>
      * The username can be retrieved with: User username = ESAPI.authenticator().getCurrentUser();
      *
+     *~DEPRECATED~  Per Kevin Wall, storing passwords with reversible encryption is contrary to *many*
+	 * company's stated security policies.  
+     *
      * @param request
      * @param password the user's password
      * @param response
@@ -572,6 +584,7 @@ public interface HTTPUtilities
 	 * @param path the path to restrict the token to or null
 	 * @return encrypted "Remember Me" token stored as a String
 	 */
+    @Deprecated
     String setRememberToken(HttpServletRequest request, HttpServletResponse response, String password, int maxAge, String domain, String path);
 
 

src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java

@@ -945,6 +945,36 @@ public String setRememberToken( HttpServletRequest request, HttpServletResponse
 			return null;
 		}
 	}
+	
+	
+	public String setRememberToken(HttpServletRequest request, HttpServletResponse response, int maxAge, String domain, String path){
+		String rval = "";
+		User user = ESAPI.authenticator().getCurrentUser();
+		
+		try{
+			killCookie(request,response, REMEMBER_TOKEN_COOKIE_NAME);
+			// seal already contains random data
+			String clearToken = user.getAccountName();
+			long expiry = ESAPI.encryptor().getRelativeTimeStamp(maxAge * 1000);
+			String cryptToken = ESAPI.encryptor().seal(clearToken, expiry);
+
+            // Do NOT URLEncode cryptToken before creating cookie. See Google Issue # 144,
+			// which was marked as "WontFix".
+
+			Cookie cookie = new Cookie( REMEMBER_TOKEN_COOKIE_NAME, cryptToken );
+			cookie.setMaxAge( maxAge );
+			cookie.setDomain( domain );
+			cookie.setPath( path );
+			response.addCookie( cookie );
+			logger.info(Logger.SECURITY_SUCCESS, "Enabled remember me token for " + user.getAccountName() );
+		} catch( IntegrityException e){
+			logger.warning(Logger.SECURITY_FAILURE, "Attempt to set remember me token failed for " + user.getAccountName(), e );
+			return null;
+		}
+		
+		
+		return rval;
+	}
 
     /**
 	 * {@inheritDoc}

src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java

@@ -17,6 +17,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -25,6 +26,7 @@
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.owasp.esapi.Authenticator;
@@ -47,7 +49,6 @@
 import junit.framework.Test;
 import junit.framework.TestCase;
 import junit.framework.TestSuite;
-
 /**
  * The Class HTTPUtilitiesTest.
  * 
@@ -465,7 +466,7 @@ public void testSetNoCacheHeaders() {
 	 *
 	 * @throws org.owasp.esapi.errors.AuthenticationException
 	 */
-	public void testSetRememberToken() throws AuthenticationException {
+	public void testDeprecatedSetRememberToken() throws AuthenticationException {
 		System.out.println("setRememberToken");
 		Authenticator instance = (Authenticator)ESAPI.authenticator();
 		String accountName=ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
@@ -485,6 +486,41 @@ public void testSetRememberToken() throws AuthenticationException {
 		// String value = response.getCookie( Authenticator.REMEMBER_TOKEN_COOKIE_NAME ).getValue();
 		// assertEquals( user.getRememberToken(), value );
 	}
+	
+	/**
+	 *
+	 * @throws org.owasp.esapi.errors.AuthenticationException
+	 */
+	public void testSetRememberToken() throws Exception {
+		System.out.println("setRememberToken");
+		Authenticator instance = (Authenticator)ESAPI.authenticator();
+		String accountName=ESAPI.randomizer().getRandomString(8, EncoderConstants.CHAR_ALPHANUMERICS);
+		String password = instance.generateStrongPassword();
+		User user = instance.createUser(accountName, password, password);
+		user.enable();
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addParameter("username", accountName);
+		request.addParameter("password", password);
+		HttpServletResponse response = new MockHttpServletResponse();
+		ESAPI.httpUtilities().setCurrentHTTP(request, response);
+		instance.login( request, response);
+
+		int maxAge = ( 60 * 60 * 24 * 14 );
+
+		ESAPI.httpUtilities().setRememberToken( request, response, maxAge, "domain", "/" );
+		
+		Field field = response.getClass().getDeclaredField("cookies");
+		field.setAccessible(true);
+		List<Cookie> cookies = (List<Cookie>) field.get(response);
+		Cookie cookie = null;
+		for(Cookie c: cookies){
+			if(c.getName().equals(HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME)){
+				cookie = c; 
+				break;
+			}
+		}
+		assertEquals(HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, cookie.getName());
+	}
 
 	public void testGetSessionAttribute() throws Exception {
 		HttpServletRequest request = new MockHttpServletRequest();