On Jul 31, 2010, at 1:32 PM, Wai wrote: > > David, > Thanks for the clarification. I suspected that BJ was joking about the > password. > > I was running ecommerce app with the username 'ecomUser1'. Looking at the > browser cookie, the username is indeed stored in the cookie for > ecommerice.autoUserLoginId > > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; OFBiz.Visitor=10041; > ecommerce.autoUserLoginId=ecomUser1 > > Even after logout, the username still persists. eg. > > OFBiz.Visitor=10041; ecommerce.autoUserLoginId=ecomUser1 > > What this implies is that, on a public computer, the next person would be > able to find out the username of the last person that used the ofbiz > ecommerce app. > > Just as an aside, my paypal account cookie does not contain the username. > Here is a sample. As you can see, there is username/email address in the > cookie. > > s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B > > Likewise with skype, there is no personally identifiable info: > > __utma=184135460.640743321.1280604163.1280607163.1280704163.1; > __utmb=184135760.1.10.1280704163; __utmc=184137460; > __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > s_cc=true; s_sq=%5B%5BB%5D%5D; > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; > SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; > mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 > > Nevertheless, I was always under the impression that when an application > authenticates a user, only a token is stored in the browser cookie to > identify the user. This token is usually the session id. > > Thanks
Session cookies are totally different and separate from the very common username cookies. Keep studying. -David
