>> @Yuri: >> If we wanted to add the ability to 'remember me' for the logins how do >> we want to ensure sessions aren't hijacked? The obvious way would be >> to use a cookie with some form of unique id in, but the unique id >> shouldn't be related to the user-id otherwise it could be predicted >> and used to bypass authentication. >> >> I think the session is stored in the JSESSIONID cookie by Jetty and > notifier can access it even if the tab was closed since it has access to > cookies on the wiab domain that is defined in manifest.json of the chrome > extension.
Yes, but this still relies on the user having logged in within the current browser session (closing and reopening the browser invalidates the session ATM).
