First of all, thank you for your hard work! Watching comments on the new Remember me functionality I have a suggestion to replace current basic (in my opinion not sufficient) user-name-cookie approach by the following, far more secure scenario:
Create Rembember me Cookie: 1.1. get: username, expiryTime(optional), passwordHash(!!!), customStringToken. 1.2. create MD5/SHA1 digest from the fields above 1.3. Store base64-encoded username+digest value in a cookie, setting expiriation date. Send it to user. Validate user: 2.1. get Cookie, decode base64-encoded value 2.2. load user data by username 2.3. calculate MD5/SHA1 digest from exactly these values that were used in 1.1 (getting these from retrieved-by-name user data. request etc) 2.4. compare this newly calculated digest to the one stored with the cookie, if they match we are sure that the remember me token is valid and allow user to log in. The fields in point 1.1 can/should be optionally extended to secure against naive cookie-hijacking issues (hostname?) Regards, Przemek. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4011874#4011874 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4011874 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
