[jira] [Created] (SHIRO-561) "Remember me" cookie age is not verified server-side

Richard Bradley (JIRA) Thu, 25 Feb 2016 09:23:41 -0800

Richard Bradley created SHIRO-561:
-------------------------------------

             Summary: "Remember me" cookie age is not verified server-side
                 Key: SHIRO-561
                 URL: https://issues.apache.org/jira/browse/SHIRO-561
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.4
            Reporter: Richard Bradley



The "remember me" cookie has a max age limit which is configurable in Shiro 
(see CookieRememberMeManager).

However, Shiro does not enforce this limit at all -- it trusts the client to 
expire the "remember me" cookie after the requested time limit.

Because the cookie value has no server-side age verification, if a malicious 
client gets a copy of the remember me cookie, then it will last forever, 
regardless of the max age limit configured in Shiro.

See also 
http://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (SHIRO-561) "Remember me" cookie age is not verified server-side

Reply via email to