[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality
christian.bauer@jboss.com
do-not-reply at jboss.com
Sat Feb 17 03:44:13 EST 2007
>From a security perspective, this is not a good idea. I can steal your username and password from the cookie with a bit of Javascript. The only requirement for that is that somewhere in the web application, user input is printed on the webpage unfiltered (e.g. on a registration screen, there is an "The address $email is not valid." error message and $email comes form a form field.)
I make you click on a link I prepared and redirect you with a POST and some malicious payload to the vulnerable registration form. My POST enters Javascript code into the form that gets then printed onto the webpage in the error message. In that Javascript, I read your cookie and send it to my server.
This is known as cross-site scripting and there are many variations. Short story: Do not trust the client, do not store sensitive information on the client.
The best "Remember Me" feature is something similar to what Amazon is using: A username cookie is stored on the client, and the web application welcomes the user with his real name and also shows the remembered shopping basket. However, any sensitive operation (editing the shopping basket, buying stuff) requires re-authentication. This combined with an application audit for XSS holes is a good strategy.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018114#4018114
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018114
More information about the jboss-user
mailing list