Ok, but in case when only user name is used for creation of the "remember me" cookie, someone can simply create such cookie without performing any "sophisticated" attacks like XSS or cookie-hijacking. Amazon's approach mentioned by Christian and hashing cookie value can be the recommended approach. Anyway, I added comment to http://jira.jboss.com/jira/browse/JBSEAM-735 sugesting the cookie creation procedure. Maybe someone can figure out some kind of anti-cookie-hijacking procedure here. Using remoteAddress or host name in cookie creation is a little bit to strict because of plenty of dynamic IPs. Anyway, I think that this problem should be treated seriously, because some people can get into real trouble when using this out-of-the-box. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018771#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...