Yep. Do you think it wasn't the case for Google Wave Notifier? On Sat, Apr 21, 2012 at 11:05 PM, Ali Lown <a...@lown.me.uk> wrote:
> >> @Yuri: > >> If we wanted to add the ability to 'remember me' for the logins how do > >> we want to ensure sessions aren't hijacked? The obvious way would be > >> to use a cookie with some form of unique id in, but the unique id > >> shouldn't be related to the user-id otherwise it could be predicted > >> and used to bypass authentication. > >> > >> I think the session is stored in the JSESSIONID cookie by Jetty and > > notifier can access it even if the tab was closed since it has access to > > cookies on the wiab domain that is defined in manifest.json of the > chrome > > extension. > > Yes, but this still relies on the user having logged in within the > current browser session (closing and reopening the browser invalidates > the session ATM). >
