I make you click on a link I prepared and redirect you with a POST and some malicious payload to the vulnerable registration form. My POST enters Javascript code into the form that gets then printed onto the webpage in the error message. In that Javascript, I read your cookie and send it to my server. This is known as cross-site scripting and there are many variations. Short story: Do not trust the client, do not store sensitive information on the client. The best "Remember Me" feature is something similar to what Amazon is using: A username cookie is stored on the client, and the web application welcomes the user with his real name and also shows the remembered shopping basket. However, any sensitive operation (editing the shopping basket, buying stuff) requires re-authentication. This combined with an application audit for XSS holes is a good strategy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018114#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...