[jboss-user] [JBoss Seam] - Re: Security Remember Me Functionality
przemjaskier
do-not-reply at jboss.com
Mon Feb 19 06:44:02 EST 2007
Ok, but in case when only user name is used for creation of the "remember me" cookie, someone can simply create such cookie without performing any "sophisticated" attacks like XSS or cookie-hijacking.
Amazon's approach mentioned by Christian and hashing cookie value can be the recommended approach. Anyway, I added comment to
http://jira.jboss.com/jira/browse/JBSEAM-735
sugesting the cookie creation procedure. Maybe someone can figure out some kind of anti-cookie-hijacking procedure here. Using remoteAddress or host name in cookie creation is a little bit to strict because of plenty of dynamic IPs.
Anyway, I think that this problem should be treated seriously, because some people can get into real trouble when using this out-of-the-box.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018771#4018771
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018771
More information about the jboss-user
mailing list