[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality

przemjaskier do-not-reply at jboss.com
Mon Feb 19 06:44:02 EST 2007

Ok, but in case when only user name is used for creation of the  "remember me" cookie, someone can simply create such cookie without performing any "sophisticated" attacks like XSS or cookie-hijacking.

Amazon's approach mentioned by Christian and hashing cookie value can be the recommended approach. Anyway, I added comment to 
sugesting the cookie creation procedure. Maybe someone can figure out some kind of anti-cookie-hijacking procedure here. Using remoteAddress or host name in cookie creation is a little bit to strict because of plenty of dynamic IPs.

Anyway, I think that this problem should be treated seriously, because some people can get into real trouble when using this out-of-the-box.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018771#4018771

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018771

More information about the jboss-user mailing list