Re: username stored in browser cookie?

Sat, 31 Jul 2010 13:32:24 -0700 

From: "Adrian Crum" <[email protected]>

--- On Sat, 7/31/10, David E Jones <[email protected]> wrote:

On Jul 31, 2010, at 1:32 PM, Wai wrote:

>
> David,
> Thanks for the clarification. I suspected that
BJ was joking about the
> password.
>
> I was running ecommerce app with the username
'ecomUser1'. Looking at the
> browser cookie, the username is indeed stored in the
cookie for
> ecommerice.autoUserLoginId
>
> JSESSIONID=6CE1F96832E46AEECF2F537D8CA6419B.jvm1;
OFBiz.Visitor=10041;
> ecommerce.autoUserLoginId=ecomUser1
>
> Even after logout, the username still persists.
eg.
>
> OFBiz.Visitor=10041;
ecommerce.autoUserLoginId=ecomUser1
>
> What this implies is that, on a public computer, the
next person would be
> able to find out the username of the last person that
used the ofbiz
> ecommerce app.
>
> Just as an aside, my paypal account cookie does not
contain the username.
> Here is a sample. As you can see, there is
username/email address in the
> cookie.
>
>
s_sess=%20s_cc%3Dtrue%3B%20s_refresh%3DMy%2720Account%2570Overview%3B%20s_sq%3D%3B
>
> Likewise with skype, there is no personally
identifiable info:
>
>
__utma=184135460.640743321.1280604163.1280607163.1280704163.1;
> __utmb=184135760.1.10.1280704163; __utmc=184137460;
>
__utmz=184175460.1280604163.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
> s_cc=true; s_sq=%5B%5BB%5D%5D;
> s_vi=[CS]v1|262A3C72051D3AF6-40000731C035DA5D[CE];
>
SC=CC=:CCY=CAD:LC=en-us:LIM=:TM=1280704288:TS=1280704264:TZ=-04%7C00:VAT=:VER=;
>
mbox=check#true#1280607257|session#1280704173508-139822#1280706057|PC#1280607173508-137822.17#1283176197
>
> Nevertheless, I was always under the impression that
when an application
> authenticates a user, only a token is stored in the
browser cookie to
> identify the user. This token is usually the
session id.
>
> Thanks

Session cookies are totally different and separate from the
very common username cookies. Keep studying.
Also keep in mind that storing the session ID in a cookie is a security risk too - that session ID can be hijacked or reused by another user.
Hence my initial question. Cookies are a security threat. That's why modern browsers give you the options of disabling them or removing them when the browser closes. 

-Adrian


Also there is this type of cookies : 
http://en.wikipedia.org/wiki/Local_Shared_Object
I use BetterPrivacy on FF
Jacques

Reply via email to