[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality
hstang
do-not-reply at jboss.com
Sat Feb 17 11:28:09 EST 2007
I'm not sure how you could recover the password in plaintext, as it is hash-ed along with other attributes. As Jack has mentioned, the most clever attack on the most secure hash algorithm we have available today (SHA-1) would take ~ 2^63 steps to find a collision, which is barely feasible.
Now I don't have to steal the password to gain access. Just equally effectively, I just need to gain access to the cookie with cross-site scripting to gain access. Maybe then you can add an additional IP address attribute to the hash content as a precautionary measure. However, this approach fails if the malicious attacker is on the same network that you are on.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018219#4018219
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018219
More information about the jboss-user
mailing list