David, Thanks for the clarification. I suspected that BJ was joking about the password.
I was running ecommerce app with the username 'ecomUser1'. Looking at the browser cookie, the username is indeed stored in the cookie for ecommerice.autoUserLoginId JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 Even after logout, the username still persists. eg. OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 What this implies is that, on a public computer, the next person would be able to find out the username of the last person that used the ofbiz ecommerce app. Just as an aside, my paypal account cookie does not contain the username. Here is a sample. As you can see, there is username/email address in the cookie. s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B Likewise with skype, there is no personally identifiable info: __utma=184135460.640743321.1280604163.1280607163.1280704163.1; __utmb=184135760.1.10.1280704163; __utmc=184137460; __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 Nevertheless, I was always under the impression that when an application authenticates a user, only a token is stored in the browser cookie to identify the user. This token is usually the session id. Thanks -- View this message in context: http://ofbiz.135035.n4.nabble.com/username-stored-in-browser-cookie-tp2308984p2309061.html Sent from the OFBiz - User mailing list archive at Nabble.com.
