Ok, but in case when only user name is used for creation of the remember me
cookie, someone can simply create such cookie without performing any
sophisticated attacks like XSS or cookie-hijacking.
Amazon's approach mentioned by Christian and hashing cookie value can be the
recommended
From a security perspective, this is not a good idea. I can steal your
username and password from the cookie with a bit of Javascript. The only
requirement for that is that somewhere in the web application, user input is
printed on the webpage unfiltered (e.g. on a registration screen, there is
Furthermore: Today, clients can fill out login-forms automatically. It is a
much safer approach:
a) the user decides when he wants to store sensitive information on the client
(e.g. not on a browser in some internet cafe)
b) the user has a clear warning and a message (Do you want to store that
Christian,
I'll have to agree and disagree with you.
First, I agree, never trust the client, there is all manner of bad things that
can be done by the client or done to the client to have it expose confidential
information.
Next, I'll disagree that the proposed scheme would allow an attacker
There is not much difference between getting a valid hash that I can use to
log-in to your application, or a cleartext password. I have access to your data.
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4018199#4018199
Reply to the post :
And for site personalization, that is what I described as the Amazon
approach. This is what we currently allow, you just need the username for that
and then force re-authentication if the user wants to do more and modify some
sensitive data.
View the original post :
I'm not sure how you could recover the password in plaintext, as it is hash-ed
along with other attributes. As Jack has mentioned, the most clever attack on
the most secure hash algorithm we have available today (SHA-1) would take ~
2^63 steps to find a collision, which is barely feasible.
Attacker does not need to recover the password to login to the application. All
they need is the hash, which is right there in the cookies. Sure, you can try
to timeout the hash after some period of time, but this is silly because (a) a
short timeout means that the whole functionality is
From what I gather quickly looking at seam's source for remember me, it
appears that that the username is stored as a cookie when you are
authenticated. This happens if you set the rememberMe attribute to true, like
you did with the check box. Verify that you have a cookie name with
Just wondering whether it's possible to extend the behaviour of the Remember Me
to automatically authenticate the user after they have selected the Remember
Me service rather than have him or her re-enter their password.
Perhaps store a cookie of the following format:
username + expiry +
I was hoping that the functionality worked as described in your second post.
That's how I'd like to be remembered.
But, it seems that to do that you'll need a second authenticate method on your
authenticator component since the password will be unrecoverable from the
cookie, and the current
I suggest you post a feature request in JIRA, that way we'll be forced to deal
with it one way or the other :)
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4018056#4018056
Reply to the post :
done.
http://jira.jboss.org/jira/browse/JBSEAM-863
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=4018066#4018066
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=4018066
___
13 matches
Mail list logo