Please sign in to comment.
Use a random key to "encrypt" the remember-me cookie's value
Since Spring's default remember-me technique is terrible security-wise (`user:timstamp:md5(use:timestamp:password:key)`), we should at least use a random key, instead of a fixed one, otherwise, and attacker able to capture the cookies might be able to trivially bruteforce offline the password of the associated user.
- Loading branch information...
Showing with 12 additions and 2 deletions.