[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality

jcox@captechventures.com do-not-reply at jboss.com
Sat Feb 17 08:34:01 EST 2007


Christian,

I'll have to agree and disagree with you.

First, I agree, never trust the client, there is all manner of bad things that can be done by the client or done to the client to have it expose confidential information.

Next, I'll disagree that the proposed scheme would allow an attacker easy access to the user's password.  If a secure hash (like SHA-256, SHA-1 or MD5 [which has some issues]) is stored in the cookie it would take some extensive work (like searching an answer space that is 2^69 big on SHA-1).  I don't think hstang explicitly indicated a secure hash, I just assumed it.  The inclusion of the expiry time in the hash prevents it from being attacked with a dictionary attack because the salt adds sufficient randomness.  On average the attacker would need to compute 2^68 secure hashes, that will take a while.  

Also, for useful features like site personalization, having the user re-enter their password each time they access the site would greatly detract from the value of the feature.  Most people just wouldn't use it.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018166#4018166

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018166



More information about the jboss-user mailing list