[SHIRO-561] "Remember me" cookie age is not verified server-side - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.2.4
Fix Version/s: None
Component/s: None
Labels:
None

Description

The "remember me" cookie has a max age limit which is configurable in Shiro (see CookieRememberMeManager).

However, Shiro does not enforce this limit at all – it trusts the client to expire the "remember me" cookie after the requested time limit.

Because the cookie value has no server-side age verification, if a malicious client gets a copy of the remember me cookie, then it will last forever, regardless of the max age limit configured in Shiro.

See also http://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Richard Bradley

Votes:: 4 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 25/Feb/16 17:22

Updated:: 25/Feb/16 17:22