On Jul 31, 2010, at 1:48 PM, Adrian Crum wrote: > --- On Sat, 7/31/10, David E Jones <[email protected]> wrote: >> On Jul 31, 2010, at 1:32 PM, Wai wrote: >> >>> >>> David, >>> Thanks for the clarification. I suspected that >> BJ was joking about the >>> password. >>> >>> I was running ecommerce app with the username >> 'ecomUser1'. Looking at the >>> browser cookie, the username is indeed stored in the >> cookie for >>> ecommerice.autoUserLoginId >>> >>> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1; >> OFBiz.Visitor=10041; >>> ecommerce.autoUserLoginId=ecomUser1 >>> >>> Even after logout, the username still persists. >> eg. >>> >>> OFBiz.Visitor=10041; >> ecommerce.autoUserLoginId=ecomUser1 >>> >>> What this implies is that, on a public computer, the >> next person would be >>> able to find out the username of the last person that >> used the ofbiz >>> ecommerce app. >>> >>> Just as an aside, my paypal account cookie does not >> contain the username. >>> Here is a sample. As you can see, there is >> username/email address in the >>> cookie. >>> >>> >> s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B >>> >>> Likewise with skype, there is no personally >> identifiable info: >>> >>> >> __utma=184135460.640743321.1280604163.1280607163.1280704163.1; >>> __utmb=184135760.1.10.1280704163; __utmc=184137460; >>> >> __utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); >>> s_cc=true; s_sq=%5B%5BB%5D%5D; >>> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE]; >>> >> SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=; >>> >> mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197 >>> >>> Nevertheless, I was always under the impression that >> when an application >>> authenticates a user, only a token is stored in the >> browser cookie to >>> identify the user. This token is usually the >> session id. >>> >>> Thanks >> >> Session cookies are totally different and separate from the >> very common username cookies. Keep studying. > > Also keep in mind that storing the session ID in a cookie is a security risk > too - that session ID can be hijacked or reused by another user. > > Hence my initial question. Cookies are a security threat. That's why modern > browsers give you the options of disabling them or removing them when the > browser closes.
Actually, when you are using HTTPS cookies are not generally used for session ID since HTTPS has session tracking built in, so it's not needed. Generally an HTTPS session is fairly hard to hijack (or at least harder than sniffing a cookie in plain text over the wire). In plain HTTP not much is secure, but in HTTPS it is pretty good, including the session tracking. -David
