7 Replies Latest reply on Jul 2, 2007 9:56 AM by Adrian Mitev

    Is "remember me" cookie vulnerable

    Adrian Mitev Master

      Hi! I just played a little with remember cookie. I've created a login page and checkbox for remember me. When i logged in i saw the cookie in the browser:

      cookie name: org.jboss.seam.security.username
      content: <my username here>

      Then i've opened a new instance of the broweser and opened the site and i was logged in automatically.

      So, the question is: if someone create his own cookie with my username would be logged in seam with my session?

        • 1. Re: Is
          Gavin King Master

          Not unless his web browser knows your password.


          Y'know that little box that your browser pops up, asking to remember your login details? Don't automatically click "yes" on that :-)

          • 2. Re: Is
            Adrian Mitev Master

            How is the "remember me" functionality working?

            • 3. Re: Is
              Arjan van Bentem Novice

               

              "amitev" wrote:
              How is the "remember me" functionality working?

              Errrr... When a browser sends a request to a web server, it will also send any cookie it knows for that domain to the server. If that's new for you, then I guess you should read about cookies, and meanwhile also read a bit on HTTP sessions. Even reading about the HTTP protocol, though not Seam-specific at all, might be very useful. For example: search the net for an example about doing a HTTP request yourself, using telnet. Quite useful for anyone developing web applications, I feel.

              Anyway, in this case: the browser only knows the username, as you noticed in the cookie. So it will send the username to the server, and Seam can preset the username in the login form. The browser does not send any password to the server. If the password is filled in as well, then your browser is to blame for that.

              • 4. Re: Is
                Adrian Mitev Master

                So the whole idea for rememberMe is just to remember the username and add it to the userName filed in the login form?

                • 5. Re: Is
                  Adrian Mitev Master

                  I thought it is working like rememberMe in gmail

                  • 6. Re: Is
                    Arjan van Bentem Novice

                     

                    "amitev" wrote:
                    So the whole idea for rememberMe is just to remember the username and add it to the userName filed in the login form?

                    Based on your own report on the contents of the cookie, that's indeed what Seam can do by default. However, Seam also fires an event which your own components could use to do whatever you want -- see section "Component-driven events" in the documentation.

                    • 7. Re: Is
                      Adrian Mitev Master

                      May i change the cookie data to store some hash?