permsec

Protect against Cookie - attacks

Registered by niels

At the moment the userid is stored in the session. This is a problem if someone stole the cookie. Then he has access as long as the application secret doesn't change.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
niels
Direction:
Needs approval
Assignee:
niels
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

The idea is to store all the data encrypted in the remember me cookie. Than we could have a short time out, where the rememberMe cookie is used to prove if the password has changed and a long where the rememberMe token isn't allowed any more.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.