Attacker does not need to recover the password to login to the application. All they need is the hash, which is right there in the cookies. Sure, you can try to timeout the hash after some period of time, but this is silly because (a) a short timeout means that the whole functionality is useless and (b) a longer timeout means that knowing the hash is as good as knowing the password.
All browsers can remember passwords anyway. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018225#4018225 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4018225 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
