[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality
gavin.king@jboss.com
do-not-reply at jboss.com
Sat Feb 17 11:52:47 EST 2007
Attacker does not need to recover the password to login to the application. All they need is the hash, which is right there in the cookies. Sure, you can try to timeout the hash after some period of time, but this is silly because (a) a short timeout means that the whole functionality is useless and (b) a longer timeout means that knowing the hash is as good as knowing the password.
All browsers can remember passwords anyway.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018225#4018225
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018225
More information about the jboss-user
mailing list