]
David Fuelling commented on JBMAIL-251:
---------------------------------------
Use Attachment #1 (the latest attachment). Patch #2 is incorrect and should be deleted.
WebMail LoginView RememberME Functionality
------------------------------------------
Key: JBMAIL-251
URL:
http://jira.jboss.com/jira/browse/JBMAIL-251
Project: JBoss Mail
Issue Type: Patch
Security Level: Public(Everyone can see)
Components: WebMail
Affects Versions: 1.0-M4, 1.0-M3, 1.0-M2, 1.0-M5, 1.0-RC1, 1.0-final
Reporter: David Fuelling
Assigned To: Andrew Oliver
Priority: Minor
Fix For: 1.0-M5, 1.0-RC1, 1.0-final
Attachments: LoginView_patch.mxml.java, LoginView_patch.mxml.java
When a user logs into the webmail, he/she can click the "Remember Me" checkbox
and have the Flash webmail application remember his username/password information. The
functionality to do this has been implemented with this patch, by leveraging the Flash
Shared Object feature (which acts like a browser cookie) to store the login credentials
for later use.
It is unknown what the security implications of this are. Flash Shared Objects are
stored to disk in a specified user directory. In WinXP, for example, this directory is
not accessible unless you are logged in as an admin or the designated user (same for Unix,
I assume). So, even if the uid/password are un-encrypted on disk, this may not be a
security concern.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: