shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Bradley (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-561) "Remember me" cookie age is not verified server-side
Date Thu, 25 Feb 2016 17:22:18 GMT
Richard Bradley created SHIRO-561:
-------------------------------------

             Summary: "Remember me" cookie age is not verified server-side
                 Key: SHIRO-561
                 URL: https://issues.apache.org/jira/browse/SHIRO-561
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.4
            Reporter: Richard Bradley


The "remember me" cookie has a max age limit which is configurable in Shiro (see CookieRememberMeManager).

However, Shiro does not enforce this limit at all -- it trusts the client to expire the "remember
me" cookie after the requested time limit.

Because the cookie value has no server-side age verification, if a malicious client gets a
copy of the remember me cookie, then it will last forever, regardless of the max age limit
configured in Shiro.

See also http://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message