Tracker:
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=33068
(no additional information there )

We still will have 2 plugins with frustrating titles (Cookie and Remember Me).

Why not to have single system plugin 'System - Remember Me'?

System plugin can incorporate all triggers from both 'authentication' and 'user' group', hence we will have complete remember me logic in single place.

@Denitz : System plugins load each time, so give an overhead on each page load. It would be better to solve the "Multi-group plugins" issue in a better way in Joomla 4 imho.

System plugin can incorporate all triggers from both 'authentication' and 'user' group', hence we will have complete remember me logic in single place.

Authentication plugins work a bit different. The onUserAuthenticate method is only triggered for plugins in the authentication group. It's not triggered for system plugins.
See https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/user/authentication.php#L286 for the code.
So that's why it needs to be an authentication plugin.

On the other hand since authentication plugins aren't loaded as long as there is nothing to authenticate, we need a system plugin which can trigger the login process.

I agree, but in order to login user via cookie we need to check user status and cookie on each page load (like current plugin does in PlgSystemRemember::onAfterInitialise()), otherwise we just won't be able to auto-login user. So system plugin is the only possible solution for cookie-based authentication. Or we can move this logic inside Joomla core, but it's not our choice I hope :)

We can't check cookie presence in onUserAuthenticate event, it's launched only once user does a login, but cookie login is hidden and occurs once a user visits site.

in order to login user via cookie we need to check user status and cookie on each page load (like current plugin does in PlgSystemRemember::onAfterInitialise())

The remember system plugin still does that check. It first checks if the user is not logged in (if (JFactory::getUser()->get('guest'))) and then if a valid cookie is present (if ($this->app->input->cookie->get($cookieName)))
The difference is that currently, this plugin also contains part of the authentication logic, and in my PR it will only trigger the login with $this->app->login(), leaving all the authentication logic to the authentication plugins.

So system plugin is the only possible solution for cookie-based authentication.

The authentication can't be done in the system plugin. As said the event is not triggered in the system group. It's only triggered in the authentication group.

Yes, sure it checks for guest user.

System plugins can use events of ALL groups because 'system' group is always loaded first. That's why I am talking about having single system plugin.

Sorry, no, onUserAuthenticate is really triggered in 'authentication' plugins only... We just need to use all plugins via usual $dispatcher->trigger('onUserAuthenticate'...

Sorry, no, onUserAuthenticate is really triggered in 'authentication' plugins only... We just need to use all plugins via usual $dispatcher->trigger('onUserAuthenticate'...

I guess there is a reason it isn't done with $dispatcher->trigger('onUserAuthenticate', ...) here. We maybe don't want to propagate the users username and password to each loaded plugin and want to restrict authentication to authentication plugins. It's a security related task after all

It's foolish idea because if required - plugins can inject own instance into JPluginHelper and still get all user credentials. Or just listen to POST. So it's completely safe to change launching of 'onUserAuthenticate' to default code with importing 'authentication' plugins group and next triggering dispatcher.

So it's completely safe to change launching of 'onUserAuthenticate' to default code with importing 'authentication' plugins group and next triggering dispatcher.

It may be safe, it may be not. That would need proper testing on itself and some security reviews as well. You can do a PR to change that if you want. I will not touch it with this PR as it's out of the scope of this PR.

Howdy,

I was playing with this and encountered a couple of issues.

The first is the use of the JUserHelper::getShortHashedUserAgent(). This bases the hash in part on JUri::base() which returns the base URL including protocol. In the case of forcing login to SSL this limits the cookie to only be used over SSL by default. As in our case we have the login and all user profile actions segmented to an SSL protected section of the site. So using the remember me cookie fails on the non SSL protected areas of the site.

What we did was use a hash based on the url without the protocol, so the hostname and script_name and user agent. This provides a consistent hash across http and https sections.

The second issue I had was with the PlgAuthenticationCookie::onUserAfterLogin. I ran into the case where some browsers (safari, webkit based and possibly firefox) do a prefetch on the url even before you hit enter to go to the site. This is causing a valid login via PlgSystemRemember, but the PlgAuthenticationCookie::onUserAfterLogin is attempting to change the login cookies password hash based on a random password. It appears that these browsers are not keeping the result of the cookie change based on the reset when you actually goto the site and sending the original saved cookie password hash instead. So a login failure happens.

Upon looking at this I am questioning in the need to reset the cookies random password at all. Its reseting the password as well as giving the cookie a completely new valid time based on the cookie length again. So you really end up with a cookie that never expires as long as you go back to the page within the valid cookie length time. Im not sure that is the intended behavior. Its a valid one for some cases, but in the case where you want to force the user to re-login ever so often to verify credentials it breaks. Im my option it should probably be an option in remember to choose which method of expiration you want.

One thing I might add is you might think about adding the httpOnly flag on the remember cookie. This will prevent client side script access or manipulation (if the browser supports it) but will still be sent on XHR/Ajax calls as part of the normal headers.

@wonderslug Imho, I think a cookie should not be shared across SSL and non-SSL pages. But that may be a subjective view.

Its reseting the password as well as giving the cookie a completely new valid time based on the cookie length again.

The lifespan issued for the cookie doesn't really reflect the real lifespan. It could be faked anyway. The point of thruth is the lifespan saved in the database and that's why we need a consistent series part over the lifespan of the cookie. You should be forced to login manually again after the lifespan set in the options expires.

As for why we need to change the token each time: If we don't do that, you have no way to detect a hacking attemp.

I ran into the case where some browsers (safari, webkit based and possibly firefox) do a prefetch on the url even before you hit enter to go to the site.

Is it possible to detect that prefetch somehow? I can see that this will cause issues.

One thing I might add is you might think about adding the httpOnly flag on the remember cookie. This will prevent client side script access or manipulation (if the browser supports it) but will still be sent on XHR/Ajax calls as part of the normal headers.

I think that should be possible to do.