WebMail LoginView RememberME Functionality
------------------------------------------
Key: JBMAIL-251
URL:
http://jira.jboss.com/jira/browse/JBMAIL-251
Project: JBoss Mail
Issue Type: Patch
Security Level: Public (Everyone can see)
Components: WebMail
Affects Versions: 1.0-M4, 1.0-M3, 1.0-M2, 1.0-M5, 1.0-RC1, 1.0-final
Reporter: David Fuelling
Assigned To: Andrew Oliver
Priority: Minor
Fix For: 1.0-M5, 1.0-RC1, 1.0-final
Attachments: LoginView_patch.mxml.java
When a user logs into the webmail, he/she can click the "Remember Me" checkbox
and have the Flash webmail application remember his username/password information. The
functionality to do this has been implemented with this patch, by leveraging the Flash
Shared Object feature (which acts like a browser cookie) to store the login credentials
for later use.
It is unknown what the security implications of this are. Flash Shared Objects are stored
to disk in a specified user directory. In WinXP, for example, this directory is not
accessible unless you are logged in as an admin or the designated user (same for Unix, I
assume). So, even if the uid/password are un-encrypted on disk, this may not be a
security concern.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira