The user argument contains sensitive information, such as user password. The user password is combined with user login to form a hash using SHA-1 algorithm. However, this is a weak algorithm, and tools like hash killer can easily decrypt billions of hashes.
I would suggest avoiding passing user password to setCookie(). This would help to prevent someone accessing our accounts when they have access to our browser cookies.
The text was updated successfully, but these errors were encountered:
To get proper entropy in user authentication cookie creation,
make use of `SecureRandom` instead of using `Math.random()`, or
Introduce our own wrapper `SecureRandom` around `java.security.SecureRandom`.
This a) makes sure that the PRNG is seeded on creation and not when
random bytes are retrieved, and
b) uses a static instance in the `UserModel` so that lags do not occur
during operation due to potentially seeding getting blocked on Unix
when reading from the system's entropy pool. To keep the random data
still secure, the static instance will reseed all 24 hours, also a
functionality of the wrapper class.
This fixesgitblit#1063 and extends and closes PR gitblit#1116