Find your content:

Search form

You are here

Long-running sessions for customer portal

 
Share

For our customers, I'd like to allow them to stay logged in to our customer portal/authenticated site similar to what Amazon does.

Goal is to reduce the number of times they have to "do anything" to access the site and then save authenticate for when they need to so something important (buy something or edit their account, etc).

How can this be done on force.com? How is is done in the non force-com world...assuming some sort of encrypted cookie? Are there any implications of the session length limits on salesforce such that sites users HAVE TO BE subject the same session timeout as our internal users?


Attribution to: Shane McLaughlin

Possible Suggestion/Solution #1

One approach would be to encrypt the user's username/password and write them to a persistent cookie. So, in a custom login page controller, you would have code like

// Technically, '^' is permitted in an email address, but most systems disallow it
String data = username + '^' + password;

// Base64 encoded key is stored in a custom setting
EncryptionSettings__c settings = EncryptionSettings__c.getOrgDefaults();
Blob key = null;
if (settings.key__c == null) {
    // No key yet - create a random one and save it
    key = Crypto.generateAesKey(256);
    settings.key__c = EncodingUtil.base64Encode(key);
    insert settings;
} else {
    key = EncodingUtil.base64Decode(settings.key__c);
}
String base64blob = EncodingUtil.base64Encode(Crypto.encryptWithManagedIV('AES256', key, Blob.valueOf(data)));

// Set cookieName, maxAge appropriately
ApexPages.currentPage().setCookies(new Cookie[]{new Cookie(cookieName,base64blob,null,maxAge,false)});

In an action method, specified in the action attribute for the page, you could have something like:

if (ApexPages.currentPage().getCookies().get(cookieName) == null) {
    // No cookie
    return null;
}

String base64blob = ApexPages.currentPage().getCookies().get(cookieName).getValue();

EncryptionSettings__c settings = EncryptionSettings__c.getOrgDefaults();
if (settings.key__c == null) {
    throw new MyAppException('Cannot decrypt without a key!');
}
Blob key = EncodingUtil.base64Decode(settings.key__c);
String data = Crypto.decryptWithManagedIV('AES256', key, EncodingUtil.base64Decode(data)).toString();
String parts = data.split('^');
String username = parts[0];
String password = parts[1];
return Site.login(username, password, null); // a PageReference

NOTE - YOU SHOULD CAREFULLY REVIEW THE SECURITY OF THIS APPROACH. THE USER'S CREDENTIALS ARE NOT STORED ANYWHERE EXCEPT ON THEIR OWN MACHINE, ENCRYPTED WITH A KEY THAT RESIDES IN SALESFORCE. THIS LOOKS SECURE TO ME, BUT IT'S CONCEIVABLE THAT THERE MAY BE A SECURITY HOLE SOMEWHERE.


Attribution to: metadaddy
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/1668

My Block Status

My Block Content