UPCOMING WEBINAR: /p>
Unleash Your DevOps Strategy by Synchronizing Application and Database Changes REGISTER >
The flaw, which was first disclosed on September 24, 2013, lies in the fact that the CookieStore mechanism stores cookies on the client side without maintaining a corresponding entry on the server side, meaning that cookies "persist for life" and can be used to access an application even after it's thought to be terminated.
The risk, McNamara wrote at the time, is that "a malicious user could use the stolen cookie from any authenticated request by the user to log in as them at any point in the future."
Photo courtesy of Shutterstock.