http://www.jforum.net/doc/SSOCookies
This link writes about SSO but
2 Cookie cookie = new Cookie("JforumSSO", user.getUsername());
3 cookie.setMaxAge(-1) // session cookie, or set to positive number.
4 response.addCookie( cookie );
Everybody can make fake cookie to enter website as someone others account.
Maybe I'm wrong for that but as far as i know hotmail has had a security hole like that too before...
When user clicks on some link on hotmail window , attacker access his account for free
There is no security for that ? :roll:
By the way , i m using
SSOCookies.java for sso
[originally posted on jforum.net by kadirbasol]