According to Apache Shiro official page's security-reports, there has vulnerability when using the default “Remember Me” configuration, cookies could be susceptible to a padding attack.
Now, Zeppelin uses Apache Shiro version 1.3.2. I think it should be updated to 1.4.2. cf) https://shiro.apache.org/security-reports.html
