--- On Sat, 7/31/10, David E Jones <[email protected]> wrote: > On Jul 31, 2010, at 1:32 PM, Wai wrote: > > > > > David, > > Thanks for the clarification. I suspected that > BJ was joking about the > > password. > > > > I was running ecommerce app with the username > 'ecomUser1'. Looking at the > > browser cookie, the username is indeed stored in the > cookie for > > ecommerice.autoUserLoginId > > > > JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; > OFBiz.Visitor=10041; > > ecommerce.autoUserLoginId=ecomUser1 > > > > Even after logout, the username still persists. > eg. > > > > OFBiz.Visitor=10041; > ecommerce.autoUserLoginId=ecomUser1 > > > > What this implies is that, on a public computer, the > next person would be > > able to find out the username of the last person that > used the ofbiz > > ecommerce app. > > > > Just as an aside, my paypal account cookie does not > contain the username. > > Here is a sample. As you can see, there is > username/email address in the > > cookie. > > > > > s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B > > > > Likewise with skype, there is no personally > identifiable info: > > > > > __utma=184135460.640743321.1280604163.1280607163.1280704163.1; > > __utmb=184135760.1.10.1280704163; __utmc=184137460; > > > __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); > > s_cc=true; s_sq=%5B%5BB%5D%5D; > > s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; > > > SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; > > > mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 > > > > Nevertheless, I was always under the impression that > when an application > > authenticates a user, only a token is stored in the > browser cookie to > > identify the user. This token is usually the > session id. > > > > Thanks > > Session cookies are totally different and separate from the > very common username cookies. Keep studying.
Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user. Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes. -Adrian
