shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Bradley (JIRA)" <>
Subject [jira] [Created] (SHIRO-561) "Remember me" cookie age is not verified server-side
Date Thu, 25 Feb 2016 17:22:18 GMT
Richard Bradley created SHIRO-561:

             Summary: "Remember me" cookie age is not verified server-side
                 Key: SHIRO-561
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.4
            Reporter: Richard Bradley

The "remember me" cookie has a max age limit which is configurable in Shiro (see CookieRememberMeManager).

However, Shiro does not enforce this limit at all -- it trusts the client to expire the "remember
me" cookie after the requested time limit.

Because the cookie value has no server-side age verification, if a malicious client gets a
copy of the remember me cookie, then it will last forever, regardless of the max age limit
configured in Shiro.

See also

This message was sent by Atlassian JIRA

View raw message