CookieService.ktManages creation of signed cookies containing user identifier, series token, and serial number. Validates cookies against stored tokens on each request, regenerates on changes, and handles deletion on logout or token invalidation.
Uses persistent-token pattern: each series has a rotating random token. When an old token is presented (cookie theft detected), the entire series is invalidated, protecting the legitimate user's session.
Extracted from the filter chain to allow cookie operations to be tested independently. The service layer separation enables different implementations for Wicket and REST endpoints.
| Commit | What changed |
|---|---|
868d6abb75 | 2025 -> 2026 |
63081666f6 | Source file headers: 2024-> 2025. |
4c04cfd652 | MAJOR-CHANGE! Migration of integer id's to Long id's (including fk's etc.) |
77bade6dfb | javax.* -> jakarta.* |
b6092df092 | Copyright 2023 -> 2024 |
ab45d51fa4 | Copyright 2001-2022 -> 2001-2023. |
ea7ec2556f | Refactored (due to security reasons): PFUserDO.password -> UserPasswordDO.passwordHash |
9559cc9f99 | CookieService: Update user's last login timestamp on using stay-logged-in-cookie. |
73792cf5f8 | Delete stay-logged-in-cookie on failure. |
ca914dbb97 | WIP: 2FA after login (required for users with Authenticator App configured. |
81476bb1ee | UserFilter -> Kotlin |
5f7ef41b8c | Copyright 2021 -> 2022 |
c49de356f7 | WIP: 2FA. Clear all cookies of CookieService on logout. |
8641d51bc5 | CookieService: refactored (format of stayLoggedInCookie changed, old format is supported). WIP: 2FA |
6662d268d2 | CookieService -> Kotlin |