[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality
christian.bauer@jboss.com
do-not-reply at jboss.com
Sat Feb 17 04:03:58 EST 2007
Furthermore: Today, clients can fill out login-forms automatically. It is a much safer approach:
a) the user decides when he wants to store sensitive information on the client (e.g. not on a browser in some internet cafe)
b) the user has a clear warning and a message (Do you want to store that login information?) that he has seen before, not some obscure Remember Me checkbox with an unknown implementation he can't control
c) the user can apply local measures to improve security, for example, my remembered login form data is stored in a master-password protected wallet (Safari + OS X)
d) its much harder for attackers to abuse this functionality for fishing, you'd need DNS spoofing to get the victim to a malicious webpage with a faked domain, so that the client auto-fills the attackers form
Having said that, we might add the "trusted client" Remember Me to Seam, but only with big red warning lights.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018118#4018118
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018118
More information about the jboss-user
mailing list