[jboss-jira] [JBoss JIRA] Created: (JBMAIL-251) WebMail LoginView RememberME Functionality

[David Fuelling (JIRA)]

WebMail LoginView RememberME Functionality
------------------------------------------

                 Key: JBMAIL-251
                 URL: http://jira.jboss.com/jira/browse/JBMAIL-251
             Project: JBoss Mail
          Issue Type: Patch
      Security Level: Public (Everyone can see)
          Components: WebMail
    Affects Versions: 1.0-M4, 1.0-M3, 1.0-M2, 1.0-M5, 1.0-RC1, 1.0-final
            Reporter: David Fuelling
         Assigned To: Andrew Oliver
            Priority: Minor
             Fix For: 1.0-M5, 1.0-RC1, 1.0-final
         Attachments: LoginView_patch.mxml.java

When a user logs into the webmail, he/she can click the "Remember Me" checkbox and have the Flash webmail application remember his username/password information.  The functionality to do this has been implemented with this patch, by leveraging the Flash Shared Object feature (which acts like a browser cookie) to store the login credentials for later use.

It is unknown what the security implications of this are.  Flash Shared Objects are stored to disk in a specified user directory.  In WinXP, for example, this directory is not accessible unless you are logged in as an admin or the designated user (same for Unix, I assume).  So, even if the uid/password are un-encrypted on disk, this may not be a security concern.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira