[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality

gavin.king@jboss.com do-not-reply at jboss.com
Sat Feb 17 11:52:47 EST 2007


Attacker does not need to recover the password to login to the application. All they need is the hash, which is right there in the cookies. Sure, you can try to timeout the hash after some period of time, but this is silly because (a) a short timeout means that the whole functionality is useless and (b) a longer timeout means that knowing the hash is as good as knowing the password.

All browsers can remember passwords anyway.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018225#4018225

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018225



More information about the jboss-user mailing list